Zowopsa ziwiri zidapezeka mu Snap ndikuloledwa kuyendetsa khodi ngati mizu

Qualys adavumbulutsidwa nkhani zomwe ndimazizindikira zofooka ziwiri (CVE-2021-44731 ndi CVE-2021-44730) mu snap-confine utility, yotumizidwa ndi muzu mbendera ya SUID ndikuyitanidwa ndi snapd process kuti apange malo ogwirira ntchito omwe amagawidwa pamaphukusi.

Muzolemba za blog zimatchulidwa kuti Zofooka zimalola wogwiritsa ntchito m'deralo kuti akwaniritse ma code monga mizu m'dongosolo.

Chiwopsezo choyamba chimalola kuwononga ulalo wakuthupi, koma imafunika kuletsa chitetezo cha hardlinks system (pokhazikitsa sysctl fs.protected_hardlinks ku 0).

Vuto ndi chifukwa cha kutsimikizira kolakwika kwa malo a executables za snap-update-ns ndi snap-discard-ns zofunikira zomwe zimayenda ngati mizu. Njira yopita kumafayilowa idawerengedwa mu sc_open_snapd_tool() ntchito kutengera njira yake kuchokera ku / proc/self/exe, kukulolani kuti mupange ulalo wolimba kuti mutseke mu bukhu lanu ndikuyika zomwe mungasankhe kuti musinthe-ns ndi snap. -taya-ns mu bukhuli. Mukakhazikitsidwa kuchokera ku ulalo wolimba, snap-confine monga mizu ipanga owukira-wolowa m'malo mwa snap-update-ns ndi snap-discard-ns mafayilo kuchokera pakakwatu komweko.

Kugwiritsa ntchito bwino chiwopsezochi kumathandizira aliyense wopanda mwayi kupeza mwayi kwa omwe ali pachiwopsezo. Ofufuza achitetezo a Qualys atha kutsimikizira mwaokha kusatetezeka, kupanga masuku pamutu, ndikupeza mwayi wokwanira pakukhazikitsa kwa Ubuntu.

Gulu lofufuza la Qualys litangotsimikiza za kusatetezekako, tinayamba kufotokoza za kusatetezeka ndikugwirizanitsa ndi ogulitsa ndi kugawa kotsegula kuti tilengeze za chiopsezo chatsopanochi.

Chiwopsezo chachiwiri chimayamba chifukwa cha mtundu ndipo atha kugwiritsidwa ntchito pakusintha kwa desktop ya Ubuntu. Kuti mwayiwu ugwire ntchito bwino pa Ubuntu Server, muyenera kusankha imodzi mwamaphukusi kuchokera pagawo la "Featured Server Snaps" pakukhazikitsa.

mtundu chikhalidwe ikuwonekera mu setup_private_mount () ntchito kuyitanidwa pokonzekera mount point namespace phukusi laposachedwa. Ntchitoyi imapanga chikwatu chakanthawi "/tmp/snap.$SNAP_NAME/tmp" kapena imagwiritsa ntchito yomwe ilipo kuti ilumikizane ndikuyika maulalo a phukusi lachidule.

Popeza dzina lachikwatu chakanthawi ndi chodziwikiratu, wowukira amatha kusintha zomwe zili mkati mwake kukhala ulalo wophiphiritsa atatsimikizira mwiniwake, koma asanayitane makina okwera. Mwachitsanzo, mutha kupanga symlink "/tmp/snap.lxd/tmp" mu /tmp/snap.lxd chikwatu chomwe chimaloza ku chikwatu chokhazikika ndipo mount() call itsatira symlink ndikuyika chikwatu mu danga. za mayina.

Momwemonso, mutha kuyika zomwe zili mu /var/lib ndi, kupitilira /var/lib/snapd/mount/snap.snap-store.user-fstab, konzani kuyika chikwatu chanu / etc mu phukusi la namespace snap kuti muyike laibulale yanu. kuchokera pakupeza mizu posintha /etc/ld.so.preload.

Zikuwoneka kuti kupanga chizoloŵezi chinakhala ntchito yosachepera, popeza snap-confine utility imalembedwa pogwiritsa ntchito njira zotetezedwa (snapd imalembedwa mu Go, koma C imagwiritsidwa ntchito snap-confine), imakhala ndi chitetezo chotengera mbiri ya AppArmor, mafoni amtundu wa zosefera kutengera makina a seccomp ndikugwiritsa ntchito malo okwera za kudzipatula.

Komabe, ochita kafukufuku adatha kukonzekera ntchito yogwira ntchito kuti mupeze mizu pa dongosolo. Nambala yogwiritsa ntchito idzatulutsidwa masabata angapo ogwiritsa ntchito akhazikitsa zosintha zomwe zaperekedwa.

Pomaliza, m'pofunika kutchula zimenezoMavuto adakonzedwa pakusinthidwa kwa phukusi la snapd kwa mitundu ya Ubuntu 21.10, 20.04 ndi 18.04.

Kuphatikiza pa magawo ena omwe amagwiritsa ntchito Snap, Snapd 2.54.3 yatulutsidwa, yomwe, kuwonjezera pamavuto omwe ali pamwambapa, imakonza chiwopsezo china (CVE-2021-4120), chomwe chimalola, pakuyika mapulagini opangidwa mwapadera, tsitsani malamulo osagwirizana ndi AppArmor ndikulambalala zoletsa zomwe zakhazikitsidwa phukusili.

Ngati muli ndikufuna kudziwa zambiri za izo, mutha kuwona zambiri Mu ulalo wotsatira.


Zomwe zili m'nkhaniyi zikutsatira mfundo zathu za malamulo okonzekera. Kuti mufotokoze cholakwika dinani Apa.

Khalani oyamba kuyankha

Siyani ndemanga yanu

Anu email sati lofalitsidwa.

*

*

  1. Wotsogolera pazosankhazi: Miguel Ángel Gatón
  2. Cholinga cha deta: Control SPAM, kasamalidwe ka ndemanga.
  3. Kukhazikitsa: Kuvomereza kwanu
  4. Kulumikizana kwa zomwe zafotokozedwazo: Zomwezo siziziwululidwa kwa anthu ena kupatula pakukakamizidwa mwalamulo.
  5. Zosunga: Zosungidwa ndi Occentus Networks (EU)
  6. Ufulu: Nthawi iliyonse mutha kuchepetsa, kuchira ndikuchotsa zidziwitso zanu.