Kwiintsuku ezimbalwa ezidlulileyo iindaba zakhutshwa ukuba kumathala eencwadi asemgangathweni uClibc kunye noClibc-ng, esetyenziswa kwizixhobo ezininzi ezizinzisiweyo neziphathwayo, ubuthathaka buchongiwe (nge-CVE ayikabelwa), evumela idatha ye-dummy ukuba ifakwe endaweni ye-DNS cache, enokusetyenziswa ukutshabalalisa idilesi ye-IP yesizinda esingenasizathu kwi-cache kwaye iqondise izicelo kwi-domain kwi-server yomhlaseli.
Ngokuphathelele ingxaki, kukhankanywe ukuba oku ichaphazela i-firmware yeLinux yeerutha, iindawo zokufikelela kunye nezixhobo ze-IoT, kunye nonikezelo lwe-Linux olungisiweyo olunje nge-OpenWRT kunye ne-Embedded Gentoo.
Malunga nokuba sesichengeni
Ukuba sesichengeni kubangelwe kusetyenziso lwezichongi zentengiselwano eqikelelwayo kwikhowudi yokuthumela imibuzo ye-DNS. I-ID yombuzo we-DNS yakhethwa ngokunyusa ngokulula ikhawuntara ngaphandle kokungalandeleki kwamanani ezibuko, leyo yenze ukuba kwenzeke ukutyhefa i-DNS cache ngokuthumela kwangaphambili iipakethi ze-UDP ngeempendulo ezingezizo (impendulo iya kwamkelwa ukuba ifike ngaphambi kokuba impendulo evela kumncedisi wokwenene kwaye iquka i-ID echanekileyo).
Ngokungafani nendlela ye-Kaminsky ecetywayo kwi-2008, akukho mfuneko yokuba uqikelele i-ID yokuthengiselana, ekubeni iqikelelwa ekuqaleni (ekuqaleni, ixabiso libekwe kwi-1, elinyuka ngesicelo ngasinye, kwaye alikhethwanga ngokungaqhelekanga).
Ukuze uzikhusele ngokuchasene ne-ID yokuqikelela, iinkcukacha Ikwacebisa ukusetyenziswa konikezelo olungakhethiyo lwamanani ezibuko lomnatha yemvelaphi apho imibuzo ye-DNS ithunyelwa khona, ebuyekeza ubungakanani obungonelanga be-ID.
Xa i-port randomization yenziwe, ukwenza impendulo ye-dummy, ukongeza ekukhetheni isazisi se-16-bit, kuyafuneka ukuba ukhethe inombolo ye-port yenethiwekhi. Kwi-uClibc kunye ne-uClibc-ng, i-randomization enjalo ayizange yenziwe ngokuthe gca (xa kubizwe iqhina, i-port ye-UDP yemvelaphi engacwangciswanga ayizange ixelwe) kwaye isicelo sayo sixhomekeke kuqwalaselo lwesixokelelwano esisebenzayo.
Xa i-port randomization ivaliwe, ukugqiba ukuba yeyiphi i-ID yesicelo eyonyuswa iphawulwe njengomsebenzi omncinci. Kodwa nakwimeko ye-randomization, umhlaseli ufuna kuphela ukuqikelela i-port yenethiwekhi ukusuka kuluhlu lwe-32768-60999, apho anokusebenzisa ukuthunyelwa okukhulu kwangaxeshanye kweempendulo ze-dummy kwiichweba ezahlukeneyo zenethiwekhi.
Ingxaki iqinisekisiwe kuzo zonke iinguqulelo zangoku ze-uClibc kunye ne-uClibc-ng, kuquka neenguqulelo zamva nje ze-uClibc 0.9.33.2 kunye ne-uClibc-ng 1.0.40.
"Kubalulekile ukuba uqaphele ukuba umngcipheko ochaphazela ilayibrari esemgangathweni ye-C kunokuba nzima," iqela libhale kwiposti yeblogi kule veki.
"Ayizukuba ngamakhulu okanye amawaka eefowuni kumsebenzi osesichengeni kwiindawo ezininzi kwinkqubo enye, kodwa ukuba sesichengeni kuya kuchaphazela inani elingenammiselo lezinye iinkqubo zabathengisi abaninzi ezilungiselelwe ukusebenzisa elo thala leencwadi."
NgoSeptemba 2021, ulwazi malunga nokuba sesichengeni luye lwangeniswa kwiCERT/CC ukulungiselela amalungiselelo alungelelanisiweyo. NgoJanuwari 2022, ingxaki kwabelwana ngayo ngaphezu 200 abavelisi ehambelana ne-CERT/CC.
NgoMatshi, kwabakho inzame eyahlukileyo yokunxibelelana nomlondolozi weprojekthi ye-uClibc-ng, kodwa waphendula ngelithi akanako ukulungisa ubuthathaka ngokwakhe kwaye wacebisa ukuba kubhengezwe ulwazi olumalunga nalo mba, ngethemba lokufumana uncedo lokuphuhlisa ukulungiswa koluntu. . Ukusuka kubavelisi, i-NETGEAR ibhengeze ukukhutshwa kohlaziyo kunye nokupheliswa kobuthathaka.
Kubalulekile ukuqaphela ukuba ubuthathaka obuchaphazela ilayibrari esemgangathweni ye-C kunokuba nzima. Ayinakubakho nje amakhulu okanye amawaka eefowuni kumsebenzi osesichengeni kwiindawo ezininzi kwinkqubo enye, kodwa ukuba sesichengeni kuya kuchaphazela inani elingenammiselo lezinye iinkqubo zabathengisi abaninzi ezilungiselelwe ukusebenzisa elo thala leencwadi.
Ubuthathaka buphawulwa ukuba buzibonakalise kwizixhobo ezivela kubavelisi abaninzi (umzekelo, iClibc isetyenziswa kwi-Linksys, Netgear, kunye ne-Axis firmware), kodwa ekubeni ubuthathaka buhlala bungabonakali kwi-uClibc kunye ne-uClibc-ng, ulwazi oluneenkcukacha malunga nezixhobo kunye nabavelisi abathile aba iimveliso kukho ingxaki, de zichazwe.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungajonga iinkcukacha Kule khonkco ilandelayo.