Ngexesha leenyanga zokugqibela UGoogle unike ingqwalasela eyodwa kwimiba yokhuseleko ifunyenwe kwi-kernel Linux kunye neKubernetesNgoNovemba kulo nyaka uphelileyo, uGoogle wonyuse ubungakanani beentlawulo njengoko inkampani iphinda-phinda kathathu ibhonasi yokuxhaphazwa kwiibugs ezazingaziwa ngaphambili kwi-Linux kernel.
Umbono yayikukuba abantu banokufumana iindlela ezintsha zokuxhaphaza i-kernel, ngakumbi ngokunxulumene neKubernetes ebaleka efini. UGoogle ngoku uxela ukuba inkqubo yokufumana ibug ibe yimpumelelo, ifumana iingxelo ezilithoba kwiinyanga ezintathu kwaye ikhupha ngaphezulu kwe-175,000 yeedola kubaphandi.
Kwaye yile nto ngeposi yebhlog UGoogle uphinde wakhupha isibhengezo malunga nokwandiswa kweli nyathelo ukuhlawula imbuyekezo yemali ngokuchonga imiba yokhuseleko kwi-Linux kernel, iqonga le-ochestration yesikhongozeli se-Kubernetes, i-Google Kubernetes Engine (GKE), kunye ne-Kubernetes Capture iflegi (kCTF) esisingqongileyo sokhuphiswano.
Isithuba siyayikhankanya loo nto ngoku inkqubo imivuzo ibandakanya ibhonasi eyongezelelweyo I-$20,000 ye-zero-day vulnerabilities kwi-exploit engadingi nkxaso yesithuba segama lomsebenzisi kunye nokubonisa ubuchule obutsha bokuxhaphaza.
Intlawulo yesiseko sokubonisa i-exploit esebenzayo kwi-kCTF yi-31 yeedola (intlawulo yesiseko inikezelwa kumntu ongenayo obonisa kuqala ukuxhaphazwa okusebenzayo, kodwa ukuhlawulwa kwebhonasi kunokusetyenziswa kwizinto ezilandelayo zokuxhatshazwa okufanayo).
Siwanyuse amabhaso ethu kuba siye saqaphela ukuba ukuze sitsale umdla woluntu kufuneka sinxulumanise imivuzo yethu nezinto abazilindeleyo. Ukwandiswa sicinga ukuba kube yimpumelelo, kwaye ke singathanda ukwandisa ngakumbi kude kube sekupheleni konyaka (2022).
Kwezi nyanga zintathu zidlulileyo, sifumene izicelo ezili-9 kwaye sihlawule ngaphezulu kwe- $175 ukuza kuthi ga ngoku.
Kupapasho sinokuyibona loo nto iyonke, kuthathelwa ingqalelo iibhonasi, owona mvuzo uphezulu womsebenzi (imiba echongiweyo ngokusekelwe kuhlalutyo lolungiso lwe-bug kwisiseko sekhowudi engaphawulwanga ngokucacileyo njengobuthathaka) inokufikelela ukuya kuthi ga kwi-71 yeedola (ngaphambili owona mvuzo uphakamileyo wawuyi-31 yeedola), kunye nengxaki yosuku lwe-zero (iingxaki ekungekabikho sisombululo) ukuya kuthi ga kwi-337 yeedola ihlawulwe (ngaphambili umvuzo omkhulu wawuyi-91,337 yeedola). Inkqubo yentlawulo iya kusebenza de kube nge-31 kaDisemba, ngo-2022.
Kuyaphawuleka ukuba kwiinyanga ezintathu ezidlulileyo, UGoogle uphendule izicelo ezili-9 cngolwazi malunga nobuthathaka, apho i-175 lamawaka eerandi yahlawulwa.
Abaphandi abathatha inxaxheba balungiselele izinto ezihlanu zokusebenzisa ubuthathaka beentsuku ezi-1 kunye nezimbini kubuthathaka bosuku olu-2021. Imiba emithathu emiselweyo kwi-Linux kernel iye yabhengezwa esidlangalaleni (i-CVE-4154-1 kwi-cgroup-v2021, i-CVE-22600-2022 kwi-af_packet kunye ne-CVE-0185-XNUMX kwi-VFS) (le miba sele ichongiwe nge-Syzkaller kunye ne-kernel izilungiso zongezwa kwimiba emibini).
Olu tshintsho lwandisa ezinye zeentsuku ze-1 ukuya kwi-71 yeedola (vs. $ 337) kwaye zenze umvuzo ophezulu kwi-exploit eyodwa ye-31 (vs. $ 337). Siza kubhatala nokuba baphindwa kabini ubuncinci $91 ukuba babonisa iindlela ezintsha zokuxhaphaza (endaweni ye-337 yeedola). Nangona kunjalo, siya kunqanda inani lembuyekezo yosuku olu-50 ukuya kwinguqulelo enye/ngolwakhiwo.
Kukho ukukhutshwa kwe-12-18 GKE ngonyaka kwitshaneli nganye, kwaye sinamaqela amabini kumajelo ahlukeneyo, ngoko siya kuhlawula umvuzo wesiseko se-31 USD ukuya kumaxesha e-337 (akukho mda weebhonasi). Ngelixa singalindelanga ukuba lonke uhlaziyo lube nenqanawa yosuku olu-36 olusebenzayo, singathanda ukuva ngenye indlela.
Ngaloo ndlela kukhankanyiwe kwisibhengezo sokuba isixa-mali sentlawulo sixhomekeke kwizinto ezininzi: ukuba ingxaki efunyenweyo yi-zero-day vulnerability, ukuba ifuna izithuba zamagama abasebenzisi abangenalungelo, ukuba isebenzisa iindlela ezintsha zokuxhaphaza. Nganye kula manqaku iza nebhonasi ye $ 20,000, ekugqibeleni iphakamisa intlawulo ye-exploit esebenzayo $ 91,337.
Okokugqibela sUkuba unomdla wokwazi okungakumbi ngayo malunga nenqaku, unokujonga iinkcukacha kwisithuba sokuqala Kule khonkco ilandelayo.