Babone ukuba sesichengeni kwithala leencwadi laseClibc kunye neClibc-ng elichaphazela iLinux firmware. 

Kwiintsuku ezimbalwa ezidlulileyo iindaba zakhutshwa ukuba kumathala eencwadi asemgangathweni uClibc kunye noClibc-ng, esetyenziswa kwizixhobo ezininzi ezifakelweyo neziphathwayo, ubuthathaka buchongiwe (nge-CVE ayikabelwa), evumela ukutshintshwa kwedatha ye-dummy kwi-cache ye-DNS, enokusetyenziswa ukutshabalalisa idilesi ye-IP yesizinda esingenasizathu kwi-cache kwaye iqondise kwakhona izicelo kwi-domain kwi-server yomhlaseli.

Malunga nengxaki kukhankanyiwe ukuba le ichaphazela i-firmware yeLinux yeerutha, iindawo zokufikelela kunye nezixhobo ze-IoT, kunye nokuhanjiswa kweLinux okuzinzisiweyo njenge-OpenWRT kunye neGentoo Embekelwe.

Malunga nokuba sesichengeni

Ukuba sesichengeni kubangelwe kusetyenziso lwezichongi zentengiselwano ezinokuqikelelwa kwikhowudi yokuthumela imibuzo ye-DNS. I-ID yombuzo we-DNS yakhethwa ngokunyusa ngokulula ikhawuntari ngaphandle kokungalandeleki okungaphaya kweenombolo zezibuko, ezithi yenze ukuba kwenzeke ukutyhefa kwi-cache ye-DNS ngokuthumela kwangaphambili iipakethi ze-UDP ngeempendulo ezibubuxoki (impendulo iya kwamkelwa ukuba ifike ngaphambi kokuba impendulo evela kumncedisi wangempela kwaye ibandakanya ukuchongwa okuchanekileyo).

Ngokungafani nendlela ye-Kaminsky ecetywayo kwi-2008, akufuneki nokuba uqikelele i-ID yokuthengiselana, ekubeni iqikelelwa ekuqaleni (ekuqaleni, imiselwe kwi-1, eyanda ngesicelo ngasinye, kwaye ayikhethwanga ngokungaqhelekanga).

Ukuzikhusela ngokuchasene ne-ID yokuqikelela, iinkcukacha icebisa ngakumbi unikezelo olungakhethiyo lwamanani ezibuko zomsebenzi womnatha imvelaphi apho imibuzo ye-DNS ithunyelwa khona, ebuyekeza ubungakanani obungonelanga be-ID.

Xa i-port randomization yenziwe, ukwenza impendulo ye-dummy, ukongeza ekukhetheni isazisi se-16-bit, kuyafuneka ukuba ukhethe inombolo ye-port yenethiwekhi. Kwi-uClibc kunye ne-uClibc-ng, i-randomization enjalo ayizange yenziwe ngokuthe gca (xa ukubophelela kubizwa, i-random source UDP port ayizange ichazwe) kwaye ukuphunyezwa kwayo kuxhomekeke kuqwalaselo lwenkqubo yokusebenza.

Xa i-port randomization ivaliwe, ukugqiba ukuba yeyiphi i-id yesicelo eyonyuswa iphawulwe njengomsebenzi omncinci. Kodwa nakwimeko ye-randomization, umhlaseli ufuna kuphela ukuqikelela i-port yenethiwekhi ukusuka kuluhlu lwe-32768-60999, apho anokusebenzisa ukuthunyelwa okukhulu kwangaxeshanye kweempendulo ze-dummy kwiichweba ezahlukeneyo zenethiwekhi.

Ingxaki iqinisekisiwe kuzo zonke iinguqulelo zangoku ze-uClibc kunye ne-uClibc-ng, kuquka neenguqulelo zamva nje ze-uClibc 0.9.33.2 kunye ne-uClibc-ng 1.0.40.

"Kubalulekile ukuqaphela ukuba sesichengeni esichaphazela ithala leencwadi eliqhelekileyo le-C kunokuba nzima," iqela libhale kwiposti yebhlog kule veki.

"Akunakuba ngamakhulu okanye amawaka eefowuni kumsebenzi osesichengeni kwiindawo ezininzi kwinkqubo enye, kodwa ukuba sesichengeni kuya kuchaphazela inani elingenammiselo lezinye iinkqubo zabathengisi abaninzi ezilungiselelwe ukusebenzisa elo thala leencwadi."

NgoSeptemba 2021, ulwazi malunga nokuba sesichengeni lwathunyelwa kwi-CERT/CC ukulungiselela uludwe olulungelelanisiweyo. NgoJanuwari 2022, ingxaki kwabelwane ngayo ngaphezu 200 abavelisi ehambelana ne-CERT/CC.

NgoMatshi, kuye kwakho iinzame zokuqhagamshelana ngokwahlukeneyo nomlondolozi weprojekthi ye-uClibc-ng, kodwa waphendula ngelithi akanako ukulungisa ubuthathaka ngokwakhe kwaye wacebisa ukubhengezwa koluntu kolwazi malunga nale ngxaki, ngethemba lokufumana uncedo lokuphuhlisa ukulungiswa. uluntu. Ukusuka kubavelisi, i-NETGEAR ibhengeze ukukhutshwa kohlaziyo kunye nokususwa kobuthathaka.

Kubalulekile ukuqaphela ukuba ubuthathaka obuchaphazela ithala leencwadi elisemgangathweni C kunokuba nzima kakhulu. Ayinakubakho kuphela amakhulu okanye amawaka eefowuni eziya kumsebenzi osesichengeni kwiindawo ezininzi kwinkqubo enye, kodwa ukuba sesichengeni kuya kuchaphazela inani elingenammiselo lezinye iinkqubo ezisuka kubathengisi abaninzi abamiselweyo ukuba basebenzise elo thala leencwadi.

Kuqatshelwe ukuba ubuthathaka buzibonakalisa kwizixhobo ezivela kubavelisi abaninzi (umzekelo, iClibc isetyenziswa kwi-firmware esuka kwi-Linksys, i-Netgear, kunye ne-Axis), kodwa ekubeni ubuthathaka buhlala bungabonakali kwi-uClibc kunye ne-uClibc-ng, ulwazi oluthe kratya malunga nezixhobo kunye nezinto ezithile. abavelisi abanengxaki kwiimveliso zabo, de badizwe.

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.


Umxholo wenqaku uyabambelela kwimigaqo yethu imigaqo yokuziphatha yokuhlela. Ukuxela impazamo cofa apha.

Yiba ngowokuqala ukuphawula

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa.

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.