Ezinsukwini zakamuva, i-Cybersecurity and Infrastructure Security Agency (CISA) yaseMelika ikhiphe isexwayiso esiphuthumayo mayelana nokuxhashazwa okusebenzayo kwe ubungozi I-CVE-2023-0386, kutholwe ku-Linux kernel. Lokhu kuba sengozini, okukalwe njengobukhulu obuphezulu, kuphawulwe njengephutha ekuphathweni kwezimvume zobunikazi ngaphakathi kwesistimu engaphansi ye-OverlayFS. Ukuxhashazwa kuvumela abasebenzisi bendawo ukuthi bakhulise amalungelo futhi bathole ukufinyelela komlawuli, okubeka noma iyiphi isistimu ye-Linux engcupheni.
Iphutha likhathaza ikakhulukazi ngoba Kuthinta izinhlobonhlobo zezindawo, kusukela kumaseva nemishini ebonakalayo kuye emafini., ezitsheni ngisho ne-Windows Subsystem ye-Linux (WSL) ukuthunyelwa. Lezi zinhlobo zezimo, lapho ukuhlukaniswa kwelungelo phakathi kwabasebenzisi kubaluleke kakhulu, kungaba sengozini uma amapeshi afanelekile angasetshenziswa.
Kuyini ukuba sengozini kwe-CVE-2023-0386?
Umsuka wenkinga ilele endleleni i-OverlayFS ephatha ngayo imisebenzi yokukopisha ifayela ngamakhono akhethekile phakathi kwamaphoyinti okukhweza ahlukene. Ikakhulukazi, uma umsebenzisi ekopisha ifayela elinezimvume eziphakeme ukusuka endaweni yokukhweza elungiselelwe njenge nosuid kwenye i-mountain, i-kernel ayisusi kahle i-setuid ne-setgid bits ngesikhathi sokusebenza. Lokhu kuvula umnyango kumhlaseli osevele unokufinyelela kwasendaweni ukuze asebenzise amafayela anezimvume zezimpande, eqa imikhawulo evamile.
Ukuba sengozini ithinta izinguqulo ze-kernel ngaphambi kwe-6.2-rc6 ane-OverlayFS kanye nezikhala zamagama zomsebenzisi ezinikwe amandla. Ukusabalalisa okusetshenziswe kakhulu okufana ne-Debian, Ubuntu, Red Hat, ne-Amazon Linux isohlwini lwezinhlelo ezisengozini uma bengakasitholi isibuyekezo esihambisanayo. Ngaphezu kwalokho, ukusebenziseka kalula kwamaphutha kuboniswe ngokushicilelwa kobufakazi bomqondo (PoC) ku-GitHub kusukela ngoMeyi 2023, okuholele ekwenyukeni okukhulu kwemizamo yokuxhashazwa.
Ububanzi nezingozi ezindaweni ezibucayi
I-CVE-2023-0386 ihlukaniswe njengobuthakathaka bokuphathwa kwezakhiwo (CWE-282) ku-OverlayFS, futhi ingasetshenziselwa ukweqa imingcele yabasebenzisi kumasistimu aqasha abantu abaningi, amabhizinisi, noma izinkundla zamafu. Kungakhathaliseki ukuthi kusemishinini ebonakalayo noma ebonakalayo, iziqukathi, noma izingqalasizinda ezithembele ekwabelaneni ngefayela, iphutha lidala ubungozi obukhulu ngenxa yokunethezeka okungaphakamisa ngazo amalungelo endawo.
Ngokusho kokuhlaziywa okuningana kwamafemu ezokuphepha afana neDatadog neQualys, ukuxhashazwa kuyinto encane Ukufinyelela kwendawo kwanele ukuqalisa ukuhlasela, okungadingi ukuxhumana okwengeziwe. Lokhu kuyenza ibe i-vector ekahle kubahlaseli bangaphakathi, izinqubo ezifakwe ebucayini, noma izimo lapho abasebenzisi abangenazo izimvume zokuphatha bavunyelwe ukusebenza. Eqinisweni, imikhankaso ezenzakalelayo efuna futhi ixhaphaze amasistimu angakacishwa iye yabonwa, ikakhulukazi ngemva kokukhululwa kwamathuluzi omphakathi nokuxhashazwa.
Impendulo yemboni kanye nezibuyekezo
Isiphazamisi sabikwa futhi salungiswa ngasekuqaleni kuka-2023 ngu-Miklos Sziredi., unjiniyela oyinhloko ku-Linux kernel, ngokuzibophezela okuzinikele (ID: 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3). Ipheshi iqinisa ukuhlola komsebenzisi neqembu ngesikhathi sokukopisha, ivimbela ukuqhubeka uma imephu ye-UID noma ye-GID ingavumelekile endaweni yamagama yamanje. Lokhu kuhloswe ngakho ukuqinisekisa ukuvumelana nama-POSIX ACL futhi kuvimbele izimo lapho i-UID/GID 65534 ezenzakalelayo yabelwe khona, okungenzeka ukuthi isetshenziswe.
Abakhiqizi abafana ne-NetApp babephakathi kwabokuqala ukushicilela izeluleko ezinemininingwane yemikhiqizo ethintekile., okufaka phakathi amamodeli esilawuli amaningana nemikhiqizo ehlanganisa izinguqulo ze-kernel ezipendwe ngaphambilini. Baqinisekisa ukuthi ukuxhashazwa kungaholela ekufinyeleleni kwedatha, ukuguqulwa kolwazi, noma ngisho nokuhlaselwa kwesevisi (DoS). I-Red Hat nabanye abathengisi nabo sebeqalile ukubuyekeza ukubhekana nalokhu kuba sengozini.
Izincomo nezinyathelo eziphuthumayo zokuzivikela kulobu sengozini
I-Cybersecurity and Infrastructure Security Agency (CISA) yase-U.S. yengeze i-CVE-2023-0386 kukhathalogi yayo yokuba sengozini okuxhashaziwe futhi idinga izinhlangano zikahulumeni zase-U.S. ukuthi zibuyekeze ngoJulayi 8, 2025. Kuzo zonke ezinye izinhlangano nabasebenzisi, isincomo sicacile:
- Thuthukela ku-Linux kernel 6.2-rc6 noma ngaphezulu ukuze uqinisekise ukuthi iphutha lilungisiwe.
- Qapha amasistimu okuziphatha okuyilungelo elingavamile, ikakhulukazi ezindaweni ezineziqukathi, abasebenzisi abaningi, noma ingqalasizinda ebalulekile.
- Ezimweni lapho ipheshi ingeke isetshenziswe ngokushesha, kuyanconywa ukuthi ukhubaze okwesikhashana i-OverlayFS noma ukhawulele ukufinyelela kwasendaweni kubasebenzisi abangabaphathi ngangokunokwenzeka.
- Bheka izaziso ezisemthethweni namakhathalogi (i-CISA's KEV) futhi uphathe ubungozi njengento ebaluleke kakhulu.
Ivekhtha yokuhlasela eyabelwe ihambisana ne-CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, okubonisa umthelela omkhulu ongaba khona ekugcinweni kuyimfihlo, ubuqotho nokutholakala uma kusetshenziswe ngempumelelo.
Lokhu kuba sengozini kugcizelela ukubaluleka kokugcina amasistimu e-Linux evuselelwe njalo futhi eqashwe, ikakhulukazi ezindaweni zamabhizinisi noma lezo eziphatha idatha ebucayi. Nakuba ukuxhashazwa kudinga ukufinyelela kwendawo, ukuba khona kwama-PoC omphakathi nokuhlasela okuzenzakalelayo kukhulisa ukuphuthuma kokulungisa noma yiziphi izimo ezisengozini ngokushesha okukhulu. Ukwanda kwamalungelo okugxila kulezi zimo kungaholela ekulahlekelweni kokulawula okuphelele nengqalasizinda.
