« Securité : Dirty Frag » : différence entre les versions
De www.yakakliker.org
Aucun résumé des modifications |
Aucun résumé des modifications |
||
| (4 versions intermédiaires par le même utilisateur non affichées) | |||
| Ligne 9 : | Ligne 9 : | ||
* https://github.com/odoucet/copyfail-dirtyfrag-blocker | * https://github.com/odoucet/copyfail-dirtyfrag-blocker | ||
==== | ==== Test de vulnérabilité ==== | ||
===== Liens ===== | |||
* https://github.com/odoucet/copyfail-dirtyfrag-blocker | |||
<syntaxhighlight lang="bash"> | |||
python3 - <<'PY' | |||
import socket | |||
tests = [ | |||
("AF_ALG", 38, socket.SOCK_SEQPACKET, 0), | |||
("AF_RXRPC", 33, socket.SOCK_DGRAM, 0), | |||
("NETLINK_XFRM", socket.AF_NETLINK, socket.SOCK_RAW, 6), | |||
] | |||
for name, family, typ, proto in tests: | |||
try: | |||
s = socket.socket(family, typ, proto) | |||
s.close() | |||
print(f"FAIL: {name} authorized") | |||
except OSError as e: | |||
print(f"OK: {name} blocked or unavailable: errno={e.errno} {e}") | |||
PY | |||
</syntaxhighlight> | |||
* Normalement vous devriez avoir ceci si vous êtes protégé : | |||
<syntaxhighlight lang="bash"> | |||
OK: AF_ALG blocked or unavailable: errno=1 [Errno 1] Operation not permitted | |||
OK: AF_RXRPC blocked or unavailable: errno=1 [Errno 1] Operation not permitted | |||
OK: NETLINK_XFRM blocked or unavailable: errno=1 [Errno 1] Operation not permitted | |||
</syntaxhighlight> | |||
* sinon vous obtiendrez quelque chose comme ceci : | |||
<syntaxhighlight lang="bash"> | |||
FAIL: AF_ALG authorized | |||
OK: AF_RXRPC blocked or unavailable: errno=93 [Errno 93] Protocol not supported | |||
FAIL: NETLINK_XFRM authorized | |||
</syntaxhighlight> | |||
==== Sécurisation ==== | |||
* https://github.com/V4bel/dirtyfrag | * https://github.com/V4bel/dirtyfrag | ||
| Ligne 19 : | Ligne 60 : | ||
</syntaxhighlight> | </syntaxhighlight> | ||
===== Sur Ubuntu : ===== | |||
* https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available | |||
====== Step 1 – block the modules: ====== | |||
Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:<syntaxhighlight lang="bash"> | |||
echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirty-frag.conf | |||
echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf | |||
echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf | |||
</syntaxhighlight>Regenerate the initramfs images, to prevent the modules from being loaded during early boot:<syntaxhighlight lang="bash"> | |||
sudo update-initramfs -u -k all | |||
</syntaxhighlight> | |||
====== Step 2 – unload modules: ====== | |||
Unload the modules, in case they are already loaded:<syntaxhighlight lang="bash"> | |||
sudo rmmod esp4 esp6 rxrpc 2>/dev/null | |||
</syntaxhighlight> | |||
====== Step 3 – confirm the modules aren’t loaded: ====== | |||
Check whether the modules are still loaded:<syntaxhighlight lang="bash"> | |||
grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded" | |||
</syntaxhighlight>If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if they are in use by applications. In these instances, a system reboot will enforce their blocking, but will affect applications:<syntaxhighlight lang="bash"> | |||
sudo reboot | |||
</syntaxhighlight> | |||
[[Catégorie:Securite]] | [[Catégorie:Securite]] | ||
[[Catégorie:Dirty Frag]] | [[Catégorie:Dirty Frag]] | ||
<html> | |||
<a href="https://www.compteurdevisite.com" title="compteur web gratuit sans pub"><img src="https://counter6.optistats.ovh/private/compteurdevisite.php?c=b4epghealnwlf7wuq7gn3ygll9aywrfx" border="0" title="compteur web gratuit sans pub" alt="compteur web gratuit sans pub"></a> | |||
</html> | |||
<html> | |||
<script src='https://storage.ko-fi.com/cdn/scripts/overlay-widget.js'></script> | |||
<script> | |||
kofiWidgetOverlay.draw('yakakliker', { | |||
'type': 'floating-chat', | |||
'floating-chat.donateButton.text': 'Café', | |||
'floating-chat.donateButton.background-color': '#00b9fe', | |||
'floating-chat.donateButton.text-color': '#fff' | |||
}); | |||
</script> | |||
</html> | |||
Dernière version du 11 mai 2026 à 11:38
CVE-2026-43284
Liens
- https://github.com/V4bel/dirtyfrag/tree/master
- https://seclists.org/oss-sec/2026/q2/430
- https://itcc.uni-koeln.de/en/services/information-security/it-security/vulnerability-cve-2026-43284-dirty-frag
- https://www.bortzmeyer.org/dirtyfrag.html
- https://github.com/odoucet/copyfail-dirtyfrag-blocker
Test de vulnérabilité
Liens
python3 - <<'PY'
import socket
tests = [
("AF_ALG", 38, socket.SOCK_SEQPACKET, 0),
("AF_RXRPC", 33, socket.SOCK_DGRAM, 0),
("NETLINK_XFRM", socket.AF_NETLINK, socket.SOCK_RAW, 6),
]
for name, family, typ, proto in tests:
try:
s = socket.socket(family, typ, proto)
s.close()
print(f"FAIL: {name} authorized")
except OSError as e:
print(f"OK: {name} blocked or unavailable: errno={e.errno} {e}")
PY
- Normalement vous devriez avoir ceci si vous êtes protégé :
OK: AF_ALG blocked or unavailable: errno=1 [Errno 1] Operation not permitted
OK: AF_RXRPC blocked or unavailable: errno=1 [Errno 1] Operation not permitted
OK: NETLINK_XFRM blocked or unavailable: errno=1 [Errno 1] Operation not permitted
- sinon vous obtiendrez quelque chose comme ceci :
FAIL: AF_ALG authorized
OK: AF_RXRPC blocked or unavailable: errno=93 [Errno 93] Protocol not supported
FAIL: NETLINK_XFRM authorized
Sécurisation
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Sur Ubuntu :
Step 1 – block the modules:
Block the modules by creating a /etc/modprobe.d/dirty-frag.conf file:
echo "install esp4 /bin/false" | sudo tee /etc/modprobe.d/dirty-frag.conf
echo "install esp6 /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
echo "install rxrpc /bin/false" | sudo tee -a /etc/modprobe.d/dirty-frag.conf
Regenerate the initramfs images, to prevent the modules from being loaded during early boot:
sudo update-initramfs -u -k all
Step 2 – unload modules:
Unload the modules, in case they are already loaded:
sudo rmmod esp4 esp6 rxrpc 2>/dev/null
Step 3 – confirm the modules aren’t loaded:
Check whether the modules are still loaded:
grep -qE '^(esp4|esp6|rxrpc) ' /proc/modules && echo "Affected modules are loaded" || echo "Affected modules are NOT loaded"
If the previous action indicates that the modules are not loaded, no further action is required. However, unloading the modules may not be possible if they are in use by applications. In these instances, a system reboot will enforce their blocking, but will affect applications:
sudo reboot
