I-Looney Tunables – Ukwenyuka Kwelungelo Lendawo ku-glibc's ld.so
Zimbalwa izinsuku ezedlule I-Qualys, imenyezelwe ngeposi lebhulogi, elihlonze a ubungozi obuyingozi (sesivele ifakwe kukhathalogi ngaphansi kwe-CVE-2023-4911) kanye negama layo lekhodi "Looney Tunables."
Mayelana nalobu buthakathaka kuyashiwo ukuthi ivumela umsebenzisi wendawo ukuthi aphakamise amalungelo akhe kusistimu ngokucacisa idatha efomethwe ngokukhethekile endaweni eguquguqukayo ethi “GLIBC_TUNABLES” ngaphambi kokusebenzisa ifayela elisebenzisekayo elinefulegi le-suid.
Ukuba sengozini Kuthathwa njengeyingozi ngoba itholakala ngaphakathi kwe-ld.so linker inikezwe njengengxenye yelabhulali ye-C yesistimu ye-Glibc (GNU libc) ekhona kumasistimu amaningi futhi kungenxa yoshintsho olwethulwa ngo-April 2021 njengengxenye yenguqulo ye-glibc 2.34.
Umtapo wezincwadi we-GNU C, ovame ukwaziwa ngokuthi i-glibc, umtapo C kusistimu ye-GNU kanye namasistimu amaningi asebenzisa i-Linux kernel. Ichaza amakholi wesistimu nokunye ukusebenza okuyisisekelo, okufana nokuvula, i-malloc, i-printf, ukuphuma, njll., okudingwa uhlelo olujwayelekile. Isilayishi esiguqukayo selabhulali ye-GNU C siyingxenye ebalulekile ye-glibc enomthwalo wemfanelo wokulungiselela nokwenza izinhlelo.
Sihlonze ngempumelelo futhi sasebenzisa lobu bungozi (ukukhuphuka kwelungelo lendawo okunikeza amalungelo agcwele ezimpande) ekufakweni okuzenzakalelayo kwe-Fedora 37 ne-38, Ubuntu 22.04 kanye ne-23.04, ne-Debian 12 kanye no-13. Okunye ukusatshalaliswa kungenzeka kungene kalula ngokulinganayo, nakuba siye yaphawula ukuthi i-Alpine Linux ihlala ihlukile ngenxa yokusebenzisa kwayo i-musl libc esikhundleni se-glibc. Lokhu kuba sengozini kwethulwe ngo-Ephreli 2021.
Ukuba sengozini kungenxa yesiphazamisi seyunithi yezinhlamvu yokuhlaziya okucaciswe kokuguquguquka kwemvelo kwe-GLIBC_TUNABLES, lapho ngenxa yenhlanganisela engalungile yamapharamitha kulokhu kuhlukahluka kubangela inani elincozululiwe ukuthi libhalwe ngale kwebhafa enikeziwe.
Lokhu kuhlukahluka kwemvelo, okuhloselwe ukulungisa nokwenza kahle izinhlelo zokusebenza ezixhunywe ku-glibc, iyithuluzi elibalulekile labathuthukisi nabaphathi besistimu. Ukusetshenziswa kabi noma ukuxhashazwa kwayo kuthinta kakhulu ukusebenza, ukwethembeka nokuvikeleka kwesistimu.
Inkinga iyabonakala nini, esikhundleni sokulandelana kwamapharamitha acacisiwe ngefomu elinomsebenzi ophindwe kabili. Kulesi simo, isabelo sicutshungulwa kabili futhi lokhu kucubungula okuphindwe kabili kukhiqiza umphumela omkhulu kunosayizi webhafa.
Ukukhombisa ukuba sengozini, Abacwaningi balungiselele ukuxhaphaza okuzinzile okukuvumela ukuthi uthole amalungelo ezimpande uma isetshenziswa cishe nanoma yiluphi uhlelo olunefulegi lempande ye-suid.
Okuhlukile insiza ye-sudo, i-chage ne-passwd izinsiza ku-Fedora (evikelwe imithetho ehlukene ye-SELinux), kanye nensiza ye-snap-confine ku-Ubuntu (evikelwe imithetho ehlukene ye-AppArmor). Indlela yokuxhaphaza ehlongozwayo nayo ayisebenzi ku-RHEL 8 ne-RHEL 9, nakuba lawa magatsha esengozini yokuba sengozini.
Uma kucatshangelwa ukuba sengozini okuphawulwe kusilayishi esiguqukayo selabhulali ye-GNU C kanye nomthelela wayo ongaba khona ezinhlelweni, i-Qualys Threat Research Unit yeluleka amathimba onogada ukuthi abeke phambili ukubhekana nale nkinga.
Njengoba kushiwo ngenhla, amandla okuxhaphaza ngempumelelo ubungozi abonisiwe ku-Fedora 37 ne-38, Ubuntu 22.04 kanye ne-23.04, Debian 11, 12 kanye ne-13.
Kufanele ube njalo ubungozi buzovela futhi kunoma yikuphi okunye ukusatshalaliswa okusebenzisa i-Glibc. Nakuba ukusatshalaliswa okusekelwe kulabhulali yesistimu C ye-Musl, njenge-Alpine Linux, akuthintwa inkinga. Ngokuqondene nesixazululo sokuba sengozini, sasakazwa ngendlela yesiqephu, esengezwe ngo-Okthoba 2.
Mayelana nokukhishwa kwekhodi ye-xploit, kushiwo ukuthi izokhishwa kamuva, uma ubungozi sebulungisiwe yonke indawo. Ungahlola ukuba sengozini kwesistimu yakho ekubeni sengozini usebenzisa umyalo olandelayo, ozohluleka uma kunenkinga:
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.