Ezinsukwini ezimbalwa ezedlule kukhishwe izindaba zokuthi emitatsheni yolwazi evamile engu-C iClibc ne-uClibc-ng, esetshenziswa kumishini eminingi eshumekiwe futhi ephathekayo, ubungozi bakhonjiwe (ene-CVE engakanikezwa), evumela ukushintshwa kwedatha ye-dummy kunqolobane ye-DNS, engasetshenziswa ukonakalisa ikheli lasesizindeni se-inthanethi lesizinda esikunqolobane nokuqondisa kabusha izicelo esizindeni kuseva yomhlaseli.
Mayelana nenkinga kushiwo ukuthi lokhu ithinta i-firmware ehlukahlukene ye-Linux yamarutha, izindawo zokufinyelela kanye namadivayisi we-IoT, kanye nokusatshalaliswa kwe-Linux okushumekiwe njenge-OpenWRT ne-Embedded Gentoo.
Mayelana nokuba sengozini
Ukuba sengozini kungenxa yokusetshenziswa kwezihlonzi zokwenziwe ezingabikezelwa kukhodi ukuthumela imibuzo kwe-DNS. I-ID yombuzo we-DNS ikhethwe ngokumane ukhuphule ikhawunta ngaphandle kokungahleliwe okwengeziwe kwezinombolo zembobo, okuyinto kwenze kwaba nokwenzeka ukufaka ushevu kunqolobane ye-DNS ngokuthumela kusengaphambili amaphakethe e-UDP anezimpendulo mbumbulu (impendulo izokwamukelwa uma ifika ngaphambi kwempendulo evela kuseva yangempela futhi ihlanganisa ukuhlonza okulungile).
Ngokungafani nendlela ye-Kaminsky ehlongozwayo ngo-2008, akudingekile ngisho nokuqagela i-ID yokuthengiselana, njengoba ibikezelwa ekuqaleni (ekuqaleni, isethelwe ku-1, ekhuphuka ngesicelo ngasinye, futhi ayikhethwa ngokungahleliwe).
ukuze uzivikele ngokumelene nokuqagela kwe-ID, imininingwane futhi incoma ukusetshenziswa kokusatshalaliswa okungahleliwe kwezinombolo zembobo yenethiwekhi yemvelaphi lapho kuthunyelwa khona imibuzo ye-DNS, enxephezela usayizi onganele we-ID.
Uma i-port randomization inikwe amandla, ukwakha impendulo eyindida, ngaphezu kokukhetha isihlonzi esingu-16-bit, kuyadingeka futhi ukukhetha inombolo yembobo yenethiwekhi. Ku-uClibc naku-uClibc-ng, ukwenza okungahleliwe okunjalo akuzange kunikwe amandla ngokusobala (lapho ukubophezela kubizwa, imbobo yomthombo we-UDP engahleliwe ayizange icaciswe) futhi ukusetshenziswa kwayo kuncike ekucushweni kwesistimu yokusebenza.
Uma i-port randomization ivaliwe, ukunquma ukuthi iyiphi i-id yesicelo okufanele inyuswe imakwe njengomsebenzi omncane. Kodwa noma esimweni sokungahleliwe, umhlaseli udinga kuphela ukuqagela imbobo yenethiwekhi ukusuka kububanzi 32768-60999, lapho angasebenzisa khona ukuthumela okukhulu kanyekanye kwezimpendulo ze-dummy kumachweba enethiwekhi ahlukene.
Inkinga kuqinisekisiwe kuzo zonke izinguqulo zamanje ze-uClibc ne-uClibc-ng, okuhlanganisa nezinguqulo zakamuva ze-uClibc 0.9.33.2 kanye ne-uClibc-ng 1.0.40.
"Kubalulekile ukuqaphela ukuthi ubungozi obuthinta umtapo wolwazi we-C ojwayelekile bungaba nzima," kubhala ithimba eposini lebhulogi kuleli sonto.
"Ngeke kube khona nje amakhulu noma izinkulungwane zezingcingo eziya emsebenzini osengozini ezindaweni eziningi ohlelweni olulodwa, kodwa ubungozi buzothinta inombolo engapheli yezinye izinhlelo zabathengisi abaningi ezihlelelwe ukusebenzisa lowo mtapo wolwazi."
NgoSepthemba 2021, ulwazi olumayelana nokuba sengozini luthunyelwe ku-CERT/CC ukuze kulungiselelwe uhlu oludidiyelwe. NgoJanuwari 2022, inkinga yabelwa abakhiqizi abangaphezu kuka-200 ehambisana ne-CERT/CC.
NgoMashi, kube nomzamo wokuxhumana ngokuhlukene nomnakekeli wephrojekthi ye-uClibc-ng, kodwa waphendula ngokuthi akakwazanga ukulungisa ubuthakathaka futhi wancoma ukudalulwa kolwazi olumayelana nenkinga, ngethemba lokuthola usizo lokuthuthukisa. umphakathi. Kusukela kubakhiqizi, i-NETGEAR imemezele ukukhishwa kwesibuyekezo ngokususwa kokuba sengozini.
Kubalulekile ukuqaphela ukuthi ukuba sengozini okuthinta umtapo wolwazi ojwayelekile we-C kungaba yinkimbinkimbi. Ngeke nje kube khona amakhulu noma izinkulungwane zezingcingo eziya emsebenzini osengozini ezindaweni eziningi kuhlelo olulodwa, kodwa ukuba sengozini kuzothinta inombolo engapheli yezinye izinhlelo ezivela kubathengisi abaningi abalungiselelwe ukusebenzisa leyo labhulali.
Kuyaphawulwa ukuthi ubungozi buziveza kumadivayisi avela kubakhiqizi abaningi (isibonelo, i-uClibc isetshenziswa ku-firmware evela ku-Linksys, Netgear, ne-Axis), kodwa njengoba ubungozi buhlala bungakashicileli ku-uClibc kanye ne-uClibc-ng, ulwazi oluningiliziwe mayelana namadivayisi kanye nokunye. abakhiqizi abanenkinga emikhiqizweni yabo, baze badalulwe.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane Kulesi sixhumanisi esilandelayo.