Los Abaphandi bokhuseleko be-Qualys bachonge ubuthathaka obubalulekileyo (I-CVE-2021-3156) kusetyenziso lwe-sudo, eyenzelwe ukulungelelanisa ukuphunyezwa kwemiyalelo egameni labanye abasebenzisi.
Ukuba sesichengeni ivumela ufikelelo olungagunyaziswanga ngamalungelo engcambu. Ingxaki inokusetyenziswa nguye nawuphi na umsebenzisi, nokuba kukho ubukho kumaqela enkqubo kunye nobukho bongeno kwifayile /etc/sudoers.
Uhlaselo alufuni ukuba ufake igama eligqithisiweyo lomsebenzisi, Oko kukuthi, ubuthathaka bunokusetyenziswa ngumntu wangaphandle ukuphakamisa amalungelo kwisistim emva kokuba ubuthathaka buthotyelwe kwinkqubo engafanelekanga (kubandakanywa nezo ziqalwe ngomsebenzisi "akukho mntu").
Ukujonga ubuthathaka kwindlela yakho, sebenzisa ngokulula umyalelo "sudoedit -s /" kwaye ubuthathaka bukhona ukuba umyalezo wemposiso oqala ngo "sudoedit:" uyaboniswa.
Malunga nokuba sesichengeni
Ubuthathaka buvele ukusukela ngoJulayi ka-2011 kwaye bubangelwa kukuphuphuma kwebuffer kuphatho lweempawu zokuphuncuka kwelayini kwiparameters ezijoliswe ukuphumeza imiyalelo kwimowudi yeqokobhe. Imowudi yeqokobhe yenziwe ngokucacisa "-i" okanye "-s" iingxoxo kwaye ibangela umyalelo wenziwe hayi ngokuthe ngqo, kodwa ngocingo olongezelelweyo lweqokobhe nge "-c" iflegi ("sh command -c »).
Undoqo wengxaki kukuba xa usenza into eluncedo ye-sudo ngesiqhelo, ibaleka abalinganiswa abakhethekileyo xa ukhankanya u- "-i" kunye no "-s" iinketho, kodwa xa uqala into eluncedo ye-sudoedit, iiparameters azibalekanga, kuba parse_args ( ) Umsebenzi ucwangcisa i MODE_EDIT umahluko wemeko-bume endaweni ye MODE_SHELL kwaye ayimiseli kwakhona ixabiso le "valid_flags".
Emva koko Ukuhambisa oonobumba abangabalekanga kudala iimeko zokuba kuvele enye impazamo kumlawuli, osusa abalinganiswa bokubaleka ngaphambi kokujonga imithetho ye-sudoers.
Umphathi ucazulula ngokungalunganga ubukho bophawu olubuyela umva ngaphandle kokubaleka ekupheleni komgca, ithathela ingqalelo le backslash ukubaleka omnye umlinganiswa kwaye iqhubeke ifunda idata ngaphaya komda womgca, uyikhuphela kwi "user_args" buffer kunye nokubhala ngaphezulu kweendawo zememori ngaphandle kwebuffer.
Kwaye kukhankanyiwe ukuba ngokuzama ukukhohlisa amaxabiso kumgca womyalelo we-sudoedit, umhlaseli unokufezekisa ukwaleka komgca obhalekayo kwakhona kwidatha echaphazela ikhosi yomsebenzi olandelayo.
Ukongeza ekudaleni i-exploit yenza lula into yokuba umhlaseli unolawulo olupheleleyo kubukhulu be-user_args buffer, ehambelana nobukhulu bazo zonke iimpikiswano ezigqithisiweyo, kwaye ilawula ubungakanani kunye nomxholo wedatha ebhalwe ngaphandle kwe-buffer usebenzisa imo engqongileyo. ezahlukeneyo.
Abaphandi bokhuseleko be-Qualys bakwazile ukulungiselela imisebenzi emithathu, umsebenzi lowo usekwe ekubhaleni kwakhona imixholo ye sudo_hook_entry, service_user kunye ne-def_timestampdir izakhiwo:
- Ukugqithisa i-sudo_hook_entry yenze ukuba kwenzeke i-binary ebizwa ngokuthi "SYSTEMD_BYPASS_USERDB" njengengcambu.
- Ugqithiso lwenkonzo_umsebenzisi ulawule ukwenza ikhowudi engenamkhethe njengengcambu.
- Ngokubhala ngaphezulu i-def_timestampdir, kwakunokwenzeka ukugungxula imixholo yesitaki se-sudo, kubandakanywa izinto eziguquguqukayo zemekobume, kwifayile /etc/passwd, kwaye kuzuzwe ukutshintshwa komsebenzisi ngamalungelo eengcambu.
Abaphandi Baye babonisa ukuba umsebenzi wokuxhaphaza ukufumana amalungelo apheleleyo engcambu ku-Ubuntu 20.04, Debian 10 kunye neFedora 33.
Ukuba sesichengeni ingasetyenziswa kwezinye iinkqubo zokusebenza kunye nonikezelo, kodwa ukuqinisekiswa kwabaphandi bekukhawulelwe ku-Ubuntu, i-Debian kunye ne-Fedora, kwaye kukhankanyiwe ukuba zonke iinguqulelo ze-sudo 1.8.2 ukuya kwi-1.8.31p2 kunye ne-1.9.0 ukuya kwi-1.9.5p1 kuqwalaselo olungagqibekanga luyachaphazeleka. Ukulungiswa kwacetyiswa kwi-sudo 1.9.5p2.
Abaphandi Baye bazisa abaphuhlisi kwangaphambili izabelo ezisele zipapashe uhlaziyo lwephakheji ngendlela elungelelanisiweyo: i-Debian, i-RHEL, i-Fedor, i-Ubuntu, i-SUSE / i-openSUSE, i-Arch Linux, i-Slackware, i-Gentoo kunye ne-FreeBSD.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nokuba sesichengeni, ungajonga iinkcukacha Kule khonkco ilandelayo.