UKevin Backhouse (umcwaningi wezokuphepha) kwabiwe ezinsukwini ezimbalwa ezedlule kubhulogi yeGitHub inothi ukuthi uhlangabezane nephutha kusevisi ye-polkit kuhlotshaniswa ne-systemd (uhlelo olujwayelekile lwe-Linux kanye nengxenye yomphathi wesevisi), lapho kuba sengcupheni eneminyaka eyisikhombisa lokho uvunyelwe ukwenza ukwanda kwamalungelo ebikade icashe ekusatshalalisweni okuhlukahlukene kweLinux futhi ebimakwe ngesonto eledlule ekukhishweni okuhlelekile.
IPolkit iyithuluzi lamathuluzi elisezingeni lokusebenza lokuchaza nokuphatha inqubomgomo evumela ukuthi izinqubo ezingavikelekile Khuluma nezinqubo ezinelungelo, ifaka ngokuzenzakalela ekusatshalalisweni kwe-Linux okuhlukahlukene. Ukuba sengozini kwalethwa enguqulweni engu-0.113 eminyakeni eyisikhombisa eyedlule (yenza i-bfa5036) futhi yalungiswa ngoJuni 3 ngemuva kokudalulwa kwayo kwakamuva ngumcwaningi wezokuphepha uKevin Backhouse.
Njengelungu leGitHub Security Lab, umsebenzi wami ukusiza ukuthuthukisa ukuphepha kwesoftware yomthombo ovulekile ngokuthola nokubika ubungozi. Emasontweni ambalwa edlule, ngithole ukuba sengozini yokwanda kokukhula epolkit. Ukudalulwa kokungcupheka okuhlelekile nabagcini be-polkit nethimba lezokuphepha likaRed Hat. Ikhishwe esidlangalaleni, ukulungiswa kwalungiswa ngoJuni 3, 2021 futhi kwabelwa i-CVE-2021-3560
"Zonke izinhlelo zeLinux ezisebenzisa uhlobo olusengozini ye-polkit kungenzeka zichayeke ekuhlaselweni okuxhaphaza iphutha le-CVE-2021-3560," kusho uBackhouse. uthi iphutha lilula ukuxhashazwa, ngoba idinga kuphela imiyalo embalwa kusetshenziswa amathuluzi wokugcina ajwayelekile afana ne-bash, kill, ne-dbus-send.
"Ukuba sengozini kubangelwa ukuqala komyalo we-dbus-send, kodwa ukuyibulala ngenkathi i-polkit isacubungula isicelo," kuchaza uBackhouse.
Indlu yokugcina izimpahla uthumele ividiyo I-PoC yokuhlaselwa okusebenzisa lobu bucayi okukhombisa ukuthi kulula ukwenza kusebenze.
“Ukuba sengozini kuvumela umsebenzisi wasendaweni ongenalungelo ukuthola igobolondo lempande kuhlelo. Kulula ukuxhaphaza ngamathuluzi athile womugqa womyalo, njengoba ubona kule vidiyo emfushane, 'kubhala uchwepheshe kokuthunyelwe kwebhulogi.
Lapho kubulawa i-dbus-send (umyalo wokuxhumana phakathi kwezinqubo), maphakathi nesicelo sokufakazela ubuqiniso kubangela iphutha Okuqhamuka kupolkit ecela i-UID yokuxhuma engasekho (ngoba ukuxhumana kuyekiwe).
"Empeleni, ipolkit iliphatha ngendlela engafanele iphutha ngendlela engeyinhle: esikhundleni sokwenqaba isicelo, isithatha njengokungathi sivela kwinqubo ne-UID 0," kuchaza uBackhouse. "Ngamanye amagama, isicelo usigunyaza ngokushesha ngoba ucabanga ukuthi isicelo sivela enqubeni yezimpande."
Lokhu akwenzeki ngaso sonke isikhathi, ngoba umbuzo we-UID we-polkit ku-dbus-daemon uvela kaningi ezindleleni ezahlukahlukene zekhodi. Imvamisa lezo zindlela zekhodi zisingatha iphutha kahle, kusho uBackhouse, kepha indlela yekhodi isengozini, futhi uma ukunqamuka kwenzeka lapho leyo ndlela yekhodi isebenza, khona-ke ukuphakama kwelungelo kwenzeka. Konke kuyindaba yesikhathi, ehluka ngezindlela ezingalindelekile ngoba izinqubo eziningi ziyabandakanyeka.
Futhi, umcwaningi ushicilele leli thebula elilandelayo equkethe uhlu lokusatshalaliswa okusengcupheni njengamanje:
| UKUSABALALANISWA | SENGCENZEKENI? |
|---|---|
| RHEL 7 | Cha |
| RHEL 8 | Yebo |
| I-Fedora 20 (noma ngaphambili) | Cha |
| I-Fedora 21 (noma kamuva) | Yebo |
| I-Debian 10 ("buster") | Cha |
| Ukuhlolwa kwe-Debian | Yebo |
| Ubuntu 18.04 | Cha |
| Ubuntu 20.04 | Yebo |
Ukusatshalaliswa kweLinux ene-polkit version 0.113 noma efakwe kamuva, njengeDebian (igatsha elingazinzile), i-RHEL 8, i-Fedora 21 nangaphezulu, ne-Ubuntu 20.04, kuyathinteka.
Ubunjalo bezinambuzane, uBackhouse ucabanga, yisizathu sokuthi zingatholakali iminyaka eyisikhombisa.
"I-CVE-2021-3560 ivumela umhlaseli wendawo ongenalungelo lokuthola amalungelo," kusho uBackhouse. "Ilula kakhulu futhi iyashesha ukuxhaphaza, ngakho-ke kubalulekile ukuthi ubuyekeze ukufakwa kwakho kwe-Linux ngokushesha okukhulu."
Okokugcina Uma unesifiso sokwazi okwengeziwe ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.