Ukuba semngciphekweni okwakukhona iminyaka eli-12 kwi-polkit kwavumela amalungelo akhethekileyo okufunyanwa 

Kwiintsuku ezimbalwa ezidlulileyo iindaba zavela ukuba Iqela lophando lwe-Qualys lifumanise ukuba semngciphekweni korhwaphilizo lwenkumbulo kwi-polkit pkexec, inkqubo ye-SUID yeengcambu efakwe ngokungagqibekanga kuzo zonke izinikezelo ezinkulu zeLinux.

Obu bungozi zisebenziseka ngokulula ivumele nawuphi na umsebenzisi ongelolungelo ukufumana amalungelo apheleleyo engcambu kumamkeli obuthathaka ngokusebenzisa obu buthathaka kuqwalaselo lwayo olungagqibekanga.

ipholiti (eyayisaziwa njengePolicyKit) licandelo lolawulo lwamalungelo enkqubo ngokubanzi kwiinkqubo zokusebenza ezifana ne-Unix. Ibonelela ngendlela elungelelanisiweyo yeenkqubo ezingenawo amalungelo ukunxibelelana neenkqubo ezinelungelo, kunye kuyenzeka kwakhona ukusebenzisa i-polkit ukusebenzisa imiyalelo ngamalungelo aphezulu usebenzisa umyalelo we-pkexec olandelwa ngumyalelo ecetyelwe ukuwuqhuba (ngemvume yengcambu).

Malunga nokuba sesichengeni

Ukuba sesichengeni ilele kwi pkexec, kuhle ikhowudi yakho iqulethe impazamo yokuphatha isalathisi, ezinye zazo gqiba ukubhekisa iindawo zenkumbulo ekungafanelanga ukuba zizenze. Ngokuxhaphaza esi siphene, kunokwenzeka ukuba ufumane amalungelo omlawuli phantse ngoko nangoko.

Ifakwe kwi-CVE-2021-4034, ukuba sesichengeni kufumene amanqaku e-CVSS ye-7,8 kwaye iqela le-Qualys lichaze kwiposti yebhlog ukuba:

Isiphene se-pkexec sivula ucango lweengcambu zamalungelo kumhlaseli. Abaphandi be-Qualys, wathi, babonise ukuxhaphazwa kofakelo olungagqibekanga lwe-Ubuntu, i-Debian, i-Fedora kunye ne-CentOS, kunye nolunye unikezelo lwe-Linux kukholelwa ukuba lusesichengeni.

“Ukuxhaphazwa okuyimpumelelo kobu buthathaka kuvumela nawuphi na umsebenzisi ongenalo ilungelo ukuba afumane amalungelo awodwa kumamkeli obuthathaka. Abaphandi bokhuseleko be-Qualys bakwazile ukuzimela ngokuzimeleyo ukuba semngciphekweni, baphuhlise ukuxhaphaza, kwaye bafumane amalungelo apheleleyo eengcambu kufakelo olungagqibekanga lwe-Ubuntu, Debian, Fedora, kunye ne-CentOS. Ezinye izinikezelo zeLinux zisesichengeni kwaye ziyasebenziseka. Olu buthathaka lufihliwe iminyaka engaphezu kwe-12 kwaye luchaphazela zonke iinguqulelo ze-pkexec ukususela ekukhululweni kwayo okokuqala ngoMeyi 2009 (qinisekisa i-c8c3d83, "Yongeza i-pkexec (1) umyalelo").

"Kamsinya nje ukuba iqela lethu lophando liqinisekise ukuba sesichengeni, i-Qualys izibophelele ekuvezeni uxanduva lokubhengeza ubuthathaka kwaye ilungelelaniswe nabathengisi kunye nokuhanjiswa kwemithombo evulekileyo ukubhengeza ukuba sesichengeni."

Ingxaki yenzeka xa umsebenzi ongundoqo () nge pkexec qhubekisa iingxoxo zomgca womyalelo kwaye argc nguziro. Umsebenzi usazama ukufikelela kuluhlu lwempikiswano kwaye igqibezela ngokuzama ukusebenzisa i rgvvoid (ARGument Vector yomgca womyalelo imitya yengxabano). Ngenxa yoko, imemori ifundwa kwaye ibhalwe ngaphandle kwemida, apho umhlaseli angasebenzisa ukujova ukuguquguquka kwendawo enokubangela ukuba ikhowudi engafanelekanga ilayishwe.

Inyaniso yokuba ezi ziguquko zinokuphinda zifakwe kwakhona yenza ukuba ikhowudi ibe sengozini. Ubuncinci ubuchule bokuxhaphaza obunikezelwa yi-Qualys (ukutofa i-GCONV_PATH eguquguqukayo kwindawo ye-pkexec ukuqhuba ithala leencwadi ekwabelwana ngalo njengengcambu) ishiya umkhondo kwiifayile zelog.

Kwingcebiso yokhuseleko, iRed Hat ikhuphe le ngxelo ilandelayo:

"I-Red Hat iyazi ngobungozi obufunyenwe kwi-pkexec evumela umsebenzisi oqinisekisiweyo ukuba enze uhlaselo olunelungelo."

“Owona mngcipheko uphambili kubathengi lithuba lokuba umsebenzisi ongekho sikweni afumane amalungelo olawulo kwiinkqubo ezichaphazelekayo. Umhlaseli kufuneka abe nokufikelela ngokungena kwinkqubo ekujoliswe kuyo ukwenza uhlaselo."

Kufanelekile ukuba ukhankanye loo nto ukuba sesichengeni sele kuchongiwe ngo-2013 kwaye ichazwe ngokweenkcukacha kwiposti yebhlog, nokuba akukho PoC ibinikiwe:

"Lol, ndibhale malunga nobu buthathaka be-polkit kwi-2013. Andizange ndifumane indlela yokwenyani yokuxhaphaza, kodwa ndiye ndachonga oyena nobangela."

Okokugqibela ukuba unomdla wokwazi ukuba malunga nayo, ungabonisana neenkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.