Masu haɓaka layin wayar hannu na LineageOS (wanda ya maye gurbin CyanogenMod) suka yi kashedi game da ganowa na alamomin da aka bari daga samun izini mara izini akan kayan aikin ku. An lura cewa karfe shida na safe (MSK) a ranar 6 ga Mayu, maharin ya sami damar isa ga babban sabar na SaltStack tsarin gudanar da tsarin daidaitawa ta hanyar amfani da raunin da ba a facce ba har yanzu.
An dai ruwaito cewa harin bai shafi ba mabuɗan don samar da sa hannu na dijital, tsarin gini da lambar tushe na dandamali. An sanya mabuɗan a kan rundunar gabaɗaya daga manyan abubuwan da aka sarrafa ta hanyar SaltStack kuma an dakatar da majalisun saboda dalilai na fasaha a ranar 30 ga Afrilu.
Yin hukunci daga bayanan akan shafin status.lineageos.org, masu haɓakawa sun riga sun dawo da sabar tare da tsarin duba lambar Gerrit, gidan yanar gizo, da wiki. Sabis tare da gini (builds.lineageos.org), da sauke tashar yanar gizo na fayiloli (download.lineageos.org), sabobin wasiku da kuma tsarin daidaiton turawa zuwa madubai a halin yanzu suna da nakasa.
Game da hukuncin
An sake sabuntawa a ranar 29 ga Afrilu daga dandamalin SaltStack 3000.2 kuma bayan kwana hudu (2 ga Mayu) an kawar da rauni guda biyu.
Matsalar ta ta'allaka ne a cikin abin da, daga yanayin rashin lafiyar da aka ruwaito, daya an buga shi a ranar 30 ga Afrilu kuma an sanya shi mafi girman hadari (a nan mahimmancin wallafa bayanan kwanaki da yawa ko makonni bayan ganowa da sakin ɓarnatar da kwaro ko faci).
Tunda matsalar ta bawa mai amfani mara izini damar aiwatar da lambar kode a matsayin mai masaukin baki (masanin-gishiri) da duk sabobin da ake gudanarwa ta hanyar.
Harin ya yiwu ne ta hanyar gaskiyar cewa tashar tashar sadarwar 4506 (don samun damar SaltStack) ba a toshe katangar katangar ba don buƙatun waje ba kuma a cikin abin da maharin ya jira ya yi aiki kafin masu haɓaka Lineage SaltStack da ekspluatarovat za su yi ƙoƙarin girkawa. sabuntawa don gyara gazawar.
An shawarci dukkan masu amfani da SaltStack da su hanzarta sabunta tsarin su tare da bincika alamun kutse.
A fili, hare-hare ta hanyar SaltStack ba kawai an iyakance shi ne kawai don shafar LineageOS ba kuma ya zama gama gari yayin rana, yawancin masu amfani waɗanda ba su da lokaci don sabunta SaltStack sun lura cewa an lalata abubuwan more rayuwa ta hanyar lambar karɓar ma'adinai ko ƙofofin baya.
Ya kuma bayar da rahoton irin wannan kutse a kan tsarin kula da abun ciki Fatalwa, meneneYa shafi rukunin yanar gizo na Ghost (Pro) da kuma biyan kuɗi (ana zargin cewa ba a taɓa lambobin katin kuɗi, amma kalmomin shiga na masu amfani da fatalwar na iya faɗawa hannun maharan).
- Raunin rauni na farko (CVE-2020-11651) rashin rashin cikakken bincike ne ke haifar da shi lokacin da ake kiran hanyoyin ClearFuncs a tsarin gishirin-masarufin. Rashin lafiyar ya ba mai amfani mai nisa damar samun damar wasu hanyoyin ba tare da tabbatarwa ba. Musamman, ta hanyar hanyoyin matsala, mai kawo hari zai iya samun alama don tushen samun dama ga sabar uwar garke sannan ya aiwatar da duk wani umarni akan rundunar da aka yiwa aiki wanda ke tafiyar daemon-minion. An fito da faci kwanaki 20 da suka gabata wanda ke gyara wannan matsalar, amma bayan aikace-aikacen sa ya bayyana, akwai canje-canje na baya waɗanda suka haifar da hadarurrukan aiki tare da katsewa.
- Raunin rauni na biyu (CVE-2020-11652) ba da damar, ta hanyar magudi tare da ajin ClearFuncs, samun dama ga hanyoyi ta hanyar sauya hanyoyin da aka ayyana a wata hanya, waɗanda za a iya amfani da su don samun cikakkiyar dama ga kundin adireshi ba bisa ka'ida ba akan FS na babban uwar garken tare da tushen gata, amma yana buƙatar ingantacciyar hanyar ( ana iya samun irin wannan damar ta amfani da raunin farko da kuma amfani da rauni na biyu don lalata dukkan abubuwan more rayuwa gaba ɗaya).