An sami lahani guda biyu a cikin Snap kuma an ba su izinin gudanar da lamba azaman tushen

Darkcrizt

4 minti

An bayyana Qualys labaran da na gane biyu vulnerabilities (CVE-2021-44731 da CVE-2021-44730) a cikin mai amfani da snap-confine, aika tare da tushen SUID tuta kuma ana kira ta hanyar tsarin snapd don samar da yanayin aiwatarwa don aikace-aikacen da aka rarraba a cikin fakitin karye.

A cikin rubutun blog an ambaci cewa lahani yana ƙyale mai amfani na gida mara gata don cimma nasarar aiwatar da lambar azaman tushen a cikin tsarin.

Rashin lahani na farko yana ba da damar harin magudin hanyar haɗin gwiwa, amma yana buƙatar kashe tsarin kariyar hardlinks (ta hanyar saita sysctl fs.protected_hardlinks zuwa 0).

Matsalar ya faru ne saboda kuskuren tabbatar da wurin masu aiwatar da hukuncin na kayan aikin snap-update-ns da snap-discard-ns utilities wanda ke gudana a matsayin tushen. Hanyar zuwa waɗannan fayilolin an ƙididdige su a cikin aikin sc_open_snapd_tool() dangane da nasa hanyar daga /proc/self/exe, yana ba ku damar ƙirƙirar hanyar haɗi mai wuya don taƙaitawa a cikin kundin ku kuma sanya zaɓuɓɓukanku don ɗauka-update-ns da karyewa. -yi watsi da-ns a cikin wannan kundin adireshi. Lokacin da aka ƙaddamar daga hanyar haɗin yanar gizo mai wuya, ƙulla-ƙulla kamar tushen zai aiwatar da maɓalli-musanya snap-update-ns da fayilolin snap-discard-ns daga kundin adireshi na yanzu.

Nasarar cin nasara na wannan raunin yana ba kowane mai amfani da ba shi da gata damar samun tushen gata a kan majiɓincin mai rauni. Masu binciken tsaro na Qualys sun sami damar tabbatar da rashin lafiyar da kansu, haɓaka amfani, da samun cikakkiyar gata akan tsoffin kayan aikin Ubuntu.

Da zaran ƙungiyar bincike ta Qualys ta tabbatar da raunin, mun tsunduma cikin bayyana rashin lafiyar da ke da alhakin tare da daidaitawa tare da dillalai da rarraba buɗaɗɗen tushe don sanar da wannan sabuwar raunin da aka gano.

Rashin lahani na biyu yana haifar da yanayin tsere kuma za a iya amfani da su a cikin tsohowar tebur na Ubuntu. Domin amfani ya yi aiki cikin nasara akan uwar garken Ubuntu, dole ne ka zaɓi ɗaya daga cikin fakitin daga sashin "Featured Server Snaps" yayin shigarwa.

yanayin jinsi yana bayyana a cikin aikin saitin_private_mount(). da ake kira a lokacin shirye-shiryen sunan filin dutse don kunshin nan take. Wannan aikin yana ƙirƙirar kundin adireshi na wucin gadi "/tmp/snap.$SNAP_NAME/tmp" ko yana amfani da wani data kasance don haɗawa da hawan kundayen adireshi don fakitin karye zuwa gareshi.

Tun da sunan kundin adireshin wucin gadi yana da tsinkaya, mai kai hari zai iya canza abinda ke ciki zuwa hanyar haɗi ta alama bayan tabbatar da mai shi, amma kafin ya kira tsarin dutsen. Misali, zaku iya ƙirƙirar symlink "/tmp/snap.lxd/tmp" a cikin directory ɗin /tmp/snap.lxd wanda ke nuni zuwa ga adireshi na sabani kuma kiran dutsen () zai bi alamar alamar kuma ya hau directory a sarari. na sunaye.

Hakazalika, zaku iya hawan abubuwan da ke cikin sa a /var/lib kuma, overriding /var/lib/snapd/mount/snap.snap-store.user-fstab, shirya don hawan kundin adireshi / sauransu a cikin fakitin sunan sararin samaniya don loda ɗakin karatu na ku. daga tushen tushen ta hanyar maye gurbin /etc/ld.so.preload.

An lura cewa haifar da cin zarafi ya zama aikin da ba ƙaramin abu ba, Tun lokacin da aka rubuta mai amfani da snap-confine ta amfani da amintattun dabarun shirye-shirye (an rubuta snapd a cikin Go, amma ana amfani da C don tsare-tsare), yana da kariya dangane da bayanan martaba na AppArmor, yana tace kiran tsarin bisa tsarin seccomp kuma yana amfani da sararin sunan dutse. don ware.

Koyaya, masu binciken sun sami damar shirya amfani mai aiki don samun tushen tushen tsarin. Za a fitar da lambar amfani da 'yan makonni bayan masu amfani sun shigar da abubuwan da aka bayar.

A karshe, yana da kyau a ambaci hakanAn gyara matsalolin a cikin sabunta fakitin snapd don nau'ikan Ubuntu 21.10, 20.04 da 18.04.

Baya ga sauran rarrabawar da ke amfani da Snap, an saki Snapd 2.54.3, wanda, ban da matsalolin da ke sama, yana gyara wani rauni (CVE-2021-4120), wanda ke ba da izini, lokacin shigar da fakitin plugin ɗin da aka kera na musamman, ƙetare ƙa'idodin AppArmor na sabani kuma ku ƙetare iyakokin damar shiga da aka saita don kunshin.

Idan kun kasance mai sha'awar ƙarin sani game da shi, zaka iya duba bayanan A cikin mahaɗin mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.