Ezinsukwini ezimbalwa ezedlule kukhishwe izindaba zokuthi ubungozi bukhonjwe ku-Netfilter (i-Linux kernel subsystem esetshenziselwa ukuhlunga nokuguqula amaphakethe wenethiwekhi), okuyi ivumela umsebenzisi wasendaweni ukuthi athole amalungelo empande ohlelweninoma ngabe usesitsheni esivinjelwe.
Ukuba sengozini kwe-CVE-2021-22555 kuyinkinga ebilokhu ikhona kusukela ku-kernel 2.6.19, yethulwa eminyakeni engu-15 edlule futhi iyi- kubangelwa isiphazamisi kubashayeli IPT_SO_SET_REPLACE ne-IP6T_SO_SET_REPLACE, okubangela ukugcwala kwebhafa lapho kuthunyelwa amapharamitha ahlotshiswe ngokukhethekile ngekholi yesikockopt kumodi yokuhambisana.
Mhlawumbe abaningi kuleli phuzu bazozibuza ukuthi kungenzeka kanjani ukuthi iphutha ku-kernel ye-Linux lingabonakali isikhathi eside futhi impendulo yalokhu ukuthi noma ngabe iphutha elalikhona kusukela nge-Linux 2.6.19, ukuba sengozini kutholakala ngekhodi Ukucwaningwa kwamabhuku, noma ngabe ikhodi ye-C yayingakhiqizwa kabusha, ngakho-ke yayingeke isetshenziswe ngoba izinsizakusebenza ezidingekayo zokwandisa amalungelo zazingatholakali ngaleso sikhathi.
Isibonelo ukusekelwa kwezikhala zamagama womsebenzisi ongavikelekile ku-kernel 3.8. Futhi, okunye ukusatshalaliswa kunesichibi esengeza i-sysctl ukukhubaza izikhala zamagama zomsebenzisi ezingavikelekile.
Ngaphansi kwezimo ezijwayelekile, ngumsebenzisi wezimpande kuphela ongashayela i-compat_setsockopt (), kodwa izimvume ezidingekayo ukwenza ukuhlasela zingatholwa futhi ngumsebenzisi ongenalungelo kumasistimu anezikhala zamagama zomsebenzisi ezinikwe amandla.
I-CVE-2021-22555 isitaki seminyaka engu-15 ubudala esengozini yokubhalwa kwesitaki ku-Linux Netfilter enamandla ngokwanele ukudlula konke ukuncipha kokuphepha kwanamuhla nokufeza ukwenziwa kwekhodi ye-kernel.
Ngakho-ke, kuchazwa lokho umsebenzisi wasendaweni angakha isitsha esinomsebenzisi ohlukile wezimpande futhi asebenzise ubungozi kusuka laphoí. Isibonelo, "izikhala zamagama abasebenzisi" zifakiwe ngokuzenzakalela ku-Ubuntu ne-Fedora, kepha hhayi ku-Debian ne-RHEL.
Lokhu kuba sengozini kungaxhashazwa ngokubhala ngaphezulu ingxenye ye-
m_list->nextIsikhombimsg_msgsakhiwo nokufeza mahhala ngemuva kokusetshenziswa. Lokhu kunamandla anele okwenza ikhodi yakho ye-kernel isebenze ngokudlula i-KASLR, i-SMAP, ne-SMEP.
Futhi, kuvela inkinga emsebenzini we-xt_compat_target_from_user () ngenxa yokubalwa kwesayizi yememori engalungile lapho kugcinwa izakhiwo ze-kernel ngemuva kokuguqulwa kusuka ekumeleni okungama-32-bit kuye kuma-64-bit.
Ngenxa yalokho, kushiwo lokho iphutha livumela ukubhala ama-byte amane "angama-zero" kunoma yisiphi isikhundla ngaphandle kwe-buffer inikezwe, ikhawulelwe nge-offset 0x4C. Ngenxa yalokhu, kushiwo lokho lesi sici kuvele kwanele ukudala ukuxhashazwa okuvumela ukuthola amalungelo empande: ngokususa i-m_list-> isikhombi esilandelayo kusakhiwo se-msg_msg, imibandela yokufinyelela kudatha ngemuva kokukhulula imemori yadalwa (sebenzisa-ngemuva-kwamahhala), okwabe kusetshenziselwa ukuthola imininingwane ngamakheli nezinguquko kwezinye izakhiwo ngokukhohlisa i-msgsnd () call call.
Mayelana nombiko wephutha, njenganoma ikuphi ukuba sengozini okutholakele, lokhu kufaka inqubo kanye nombiko owenziwe kubathuthukisi be-kernel ngo-Ephreli, okwathi ngemuva kwalokho kwalungiswa ezinsukwini ezimbalwa kanye ne-patch efakiwe kukho konke ukwabiwa okusekelwayo, ukuze Imininingwane mayelana nesiphazamisi ingakhishwa ngokuhamba kwesikhathi.
Amaphrojekthi we-Debian, Arch Linux, ne-Fedora asevele akhiqize izibuyekezo zephakeji. Ukuqala ngo-Ubuntu, izibuyekezo ze-RHEL ne-SUSE zisemisebenzini. Ngoba iphutha libucayi, liyaxhashazwa ngokwenza futhi ivumela ukweqa esitsheni, I-Google ilinganisele ukutholakala kwayo ku- $ 10,000 futhi yaphindaphinda umvuzo kumcwaningi othole ubungozi kanye nokuhlonza indlela yokugwema ukuhlukanisa iziqukathi zeKubernet kuqoqo le-kCTF.
Ukuhlola, uhlobo olwenziwayo lokuxhaphaza selulungisiwe eyeqa izindlela zokuvikela ze-KASLR, SMAP ne-SMEP.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.