Munguva pfupi yapfuura yakaburitsa nhau pakutsvaga kutadza kwakati wandei muLinux TCP makeke uye FreeBSD izvo inobvumira anorwisa kuti atange kure kutadza kweiyo kernel kana kukonzera kuwandisa kwekushandisa zviwanikwa nekugadzirisa zvakanyatsogadzirwa TCP mapaketi (paketi yerufu).
Iwo matambudziko anokonzerwa nezvikanganiso mumabato ehukuru hukuru hwe data block mune iyo TCP packet (MSS, Maximum chidimbu saizi) uye iyo nzira yekusarudzika yekubatanidza kuzivikanwa (SACK, Selective TCP kuzivikanwa).
Chii chinonzi kusarudzika?
Kusarudza TCP Kuzivikanwa (SACK) ndiwo mashandiro apo anogamuchira data anogona kuzivisa uyo anotumira nezvese zvikamu zvakagamuchirwa zvinobudirira.
Ichi Inobvumira mutumwa kudzorerazve zvisipo zverwizi zvikamu kubva pane yake 'inozivikanwa' set. Kana TCP SACK yakaremara, seti hombe yekudzoreredza inodiwa kudzosera rese rakateedzana.
MuLinux kernel, matambudziko akagadziriswa mushanduro 4.4.182, 4.9.182, 4.14.127, 4.19.52 uye 5.1.11. Mhinduro yeFreeBSD inowanikwa sechigamba.
Kernel package inogadzirisirwa Debian, RHEL, SUSE / openSUSE, ALT, Ubuntu, Fedora, uye Arch Linux.
CVE-2019-11477 (SACK Kutya)
Dambudziko inozviratidza muLinux kernels senge 2.6.29 uye inokutendera iwe kupaza kernel (kuvhunduka) kana uchitumira akateedzana eSOD mapaketi nekuda kwehuwandu hwekufashukira mune mutongi.
Zvekurwisa, zvakaringana kumisikidza iyo MSS kukosha kune makumi mana nema byte eiyo TCP yekubatanidza uye kutumira akateedzana akarongedzwa SACK mapaketi mune imwe nzira.
Musimboti wedambudziko nderekuti chimiro tcp_skb_cb (Socket Buffer) yakagadzirirwa kuchengetedza zvidimbu gumi nemana ("Dudzira MAX_SKB_FRAGS (65536 / PAGE_SIZE + 1) => 17").
Mukutumira pakiti, inoiswa mumutsetse wekutumira uye tcp_skb_cb inochengeta ruzivo nezve packet, senge nhamba yekuteedzana, mireza, pamwe ne "tcp_gso_segs" uye "tcp_gso_size" minda, ayo anoshandiswa kutumira Segmentation ruzivo kumutungamiriri (TSO, Chikamu Chikamu Dhawunirodha) kugadzirisa zvikamu padivi reti kadhi.
Zvimedu zvinoponeswa kana kurasika kwepaketi kana kudiwa kwekusarudzwa kwepakeji kuisazve, kana SACK yakagoneswa uye TSO inotsigirwa nemutyairi.
Sekushandira kwekudzivirira, unogona kudzima SACK kugadzirisa kana kuvhara kubatana neiyo diki MSS (inoshanda chete kana iwe ukaisa sysctl net.ipv4.tcp_mtu_probing kusvika 0 uye inogona kutyora imwe yakajairika) ine yakaderera MSS).
CVE-2019-11478 (SACK Kunonoka)
Uku kutadza inokanganisa kukanganiswa kweSACK mashandiro (kana uchishandisa Linux kernel muna 4.15) kana kunyanyisa kushandisa zviwanikwa.
Dambudziko rinoitika kana kugadzirisa akanyatsogadzirwa SACK mapaketi ayo anogona kushandiswa kukamura mutsara wekutumira (TCP kudzoreredza). Mhinduro dzekudzivirira dzakafanana nehurema hwapfuura
CVE-2019-5599 (SACK Kunonoka)
Inotendera kukonzera kupatsanurwa kwemepaketi mepu yakatumirwa painogadziridza SACK nhevedzano mukati mekubatana kweTCP imwechete uye kukonzera chishandiso-chakasimba runyorwa rwekutarisa mashandiro kumhanya.
Dambudziko rinozviratidza muFreeBSD 12 neRack packet kurasikirwa kwekuona maitiro. Sekushandira iwe unogona kudzima iyo RACK module (isina kutakurwa nekukanganisa, yakaremara nekutsanangudza sysctl net.inet.tcp.functions_default = freebsd)
CVE-2019-11479
Iko kukanganisa kunotendera anorwisa kuti aite iyo Linux kernel igovane mhinduro muzvikamu zvakawanda zveTCP, imwe neimwe inosanganisira chete mabheti masere e data, ayo anogona kutungamira mukuwedzera kwakanyanya mumugwagwa, kuwedzerwa CPU mutoro, uye yakavharika nzira yekutaurirana.
Uye zvakare, inoshandisa zvimwe zviwanikwa (processor simba uye network kadhi).
Kurwiswa uku kunoda kuramba kuchiedza kune ari kurwisa uye kurova kuchapera nguva pfupi mushure mekunge murwi amira kutumira traffic.
Ipo kurwisa uku kuri kuenderera, sisitimu inomhanya pakadzikira chinzvimbo, zvichikonzera kuramba kwebasa revamwe vashandisi.
Mushandisi ari kure anogona kukonzeresa dambudziko iri nekumisikidza saizi yakakura chikamu (MSS) yekubatana kweTCP pamuganhu wayo wepasi (48 byte) uye kutumira zvakateedzana zvemapakeji eSACK akagadzirwa.
Sekushandira, zvinokurudzirwa kuvhara kubatana neakaderera MSS.