Kukhishwe onjiniyela beGoogle ngeposi abalitholile ukuba sengozini enkulu (I-CVE-2020-12351) isitaki se-Bluetooth "BlueZ" esetshenziswa ekusatshalalisweni kweLinux neChannel OS.
Ukuba sengozini, kufakwe ikhodi kabusha UkophaTooth, kuvumela umhlaseli ongagunyaziwe ukwenza ikhodi yakho ezingeni le-kernel I-Linux ngaphandle kokungenelela komsebenzisi ngokuthumela amaphakethe e-Bluetooth aklanywe ngokukhethekile.
Inkinga ingaxhashazwa ngumhlaseli ophakathi kwebanga le-Bluetooth futhi ngaphezu kweqiniso lokuthi ukubhanqa kwangaphambilini akudingeki phakathi kocingo oluhlaselayo nesisulu, isimo kuphela ukuthi i-Bluetooth kumele isebenze kukhompyutha.
Mayelana nokuba sengozini
Ukuhlaselwa, kwanele ukwazi ikheli le-MAC ledivayisi yesisulu, enganqunywa ngokulandela umkhondo noma, kwamanye amadivayisi, abalwa ngokususelwa kukheli le-Wi-Fi MAC.
Ukuba sengozini ikhona ezingxenyeni ezicubungula amaphakethe we-L2CAP (Logical Link Control and Adaptation Protocol) ezingeni le-Linux kernel.
Lapho uthumela iphakethe elenzelwe ngokukhethekile le-L2CAP ngemininingwane eyengeziwe yesiteshi se-A2MP, umhlaseli angabhala ngaphezulu indawo ngaphandle kwememori imephu, engasetshenziswa ukudala ukuxhashazwa ukwenza ikhodi yezinga le-kernel engqubuzanayo.
Lapho ucacisa i-CID ngaphandle kwe-L2CAP_CID_SIGNALING, L2CAP_CID_CONN_LESS, ne-L2CAP_CID_LE_SIGNALING ephaketheni, isibambi se-2cap_data_channel () sibizwa eBlueZ, esineziteshi ezikwi-L2CAP_MODE_ERTM izindlela ezibizwa ngokuthi yi-filter ye-skip_CAPterfter (). Kumaphakethe ane-CID L2CAP_CID_A2MP, asikho isiteshi, ngakho-ke ukusidala, umsebenzi we-a2mp_channel_create () ubizwa, osebenzisa uhlobo "struct amp_mgr" lapho kucubungulwa inkambu yedatha chan->, kepha uhlobo lwale nkambu kufanele lube "Isokisi lesakhiwo".
Ukuba sengozini sekuvele selokhu kwavela i-Linux kernel 4.8 Futhi ngaphandle kwezimangalo ze-Intel, akukhulunywa ngayo kunguqulo esanda kukhishwa engu-5.9.
UMatthew Garrett, umakhi owaziwa kakhulu we-Linux kernel othole umklomelo ovela kwiFree Software Foundation ngokunikela kwakhe ekuthuthukiseni isoftware yamahhala, uthi imininingwane embikweni we-Intel ayilungile nokuthi i-kernel 5.9 ayifaki ukulungiswa okulungile. ukulungisa ubungozi, amachashazi afakiwe egatsheni elilandelayo, hhayi igatsha le-5.9).
Ubuye waveza intukuthelo ngenqubomgomo ye-Intel yokudalula ukuba sengozini: Abathuthukisi bokusabalalisa kweLinux abaziswanga ngenkinga ngaphambi kokukhishwa kombiko futhi bebengenalo nethuba lokuthekelisa ngaphambi kokuthekelisa amaphakheji abo we-kernel.
Ngokwengeziwe, kubikwa ukuthi kukhona amanye amathuba okuba sengozini okubili ku-BlueZ:
- I-CVE-2020-24490 - Ukuchichima kwebhafa yekhodi yokuhlaziya ye-HCI (hci_event.c). Umhlaseli okukude angafeza ukugcwala kwe-buffer nokwenza ikhodi ezingeni le-Linux kernel ngokuthumela izimemezelo zokusakaza. Ukuhlaselwa kungenzeka kuphela kumadivayisi asekela i-Bluetooth 5, lapho imodi yokuskena isebenza kubo.
- I-CVE-2020-12352: Ukulahleka kwemininingwane yesitaki ngenkathi kucutshungulwa iphakethe le-A2MP. Inkinga ingaxhashazwa ngumhlaseli owazi ikheli le-MAC ledivayisi ukubuyisa idatha kusitaki se-kernel, engahle iqukathe imininingwane ebucayi njengokhiye bokubethela. Isitaki singaqukatha nezikhombi, ngakho-ke udaba lungasetshenziswa ukunquma ukwakheka kwememori futhi kudlule ukuvikelwa kwe-KASLR (ikheli ngokungahleliwe) ekusetshenzisweni kobunye ubungozi.
Ekugcineni, kumenyezelwe ukushicilelwa kohlobo oluthile lokuxhaphaza ukuqinisekisa inkinga.
Ngokusatshalaliswa inkinga ihlala ingafakwanga (i-Debian, RHEL (ukuba sengozini kuqinisekisiwe kuzinguqulo ze-RHEL kusuka ku-7.4), SUSE, Ubuntu, Fedora)
Ipulatifomu ye-Android ayithinteki yinkinga njengoba isebenzisa isitaki sayo se-Bluetooth, ngokususelwa kukhodi evela kuphrojekthi ye-Broadcom's BlueDroid.
Uma ufuna ukwazi kabanzi ngalokhu kuba sengozini, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.
Ukulwa nokuba sengozini ngeke kuphele, lena ingqikithi ezohlala ikhona. Nsuku zonke abaduni bazobheka izindlela eziningi zokwenza ukuhlaselwa kwe-cyber. Akukho okuphelele, kuzohlala kunamaphesenti okuba sengozini. Yingakho nsuku zonke kufanele siqhubeke sisebenze ekulweni nalokhu kuhlaselwa.