Hacker t\u1eeb xa c\u00f3 th\u1ec3 khai th\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y b\u1eb1ng c\u00e1ch g\u1eedi c\u00e1c cu\u1ed9c g\u1ecdi RPC \u0111\u1ed9c h\u1ea1i \u0111\u1ebfn m\u00e1y ch\u1ee7 m\u1ee5c ti\u00eau \u0111\u1ec3 th\u1ef1c hi\u1ec7n m\u00e3 t\u00f9y \u00fd trong ng\u1eef c\u1ea3nh c\u1ee7a h\u1ec7 th\u1ed1ng. C\u00e1c chuy\u00ean gia ch\u1ec9 ra r\u1eb1ng ngay c\u1ea3 khi khai th\u00e1c kh\u00f4ng th\u00e0nh c\u00f4ng, hacker c\u0169ng c\u00f3 th\u1ec3 g\u00e2y ra s\u1ef1 c\u1ed1 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn h\u1ec7 th\u1ed1ng.<\/p>\n
L\u1ed7 h\u1ed5ng c\u00f3 \u0111i\u1ec3m CVSS l\u00e0 9,8, v\u00e0 c\u00f3 v\u1ebb t\u01b0\u01a1ng t\u1ef1 nh\u01b0 CVE-2022-26937 – m\u1ed9t l\u1ed7i NFS \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1 v\u00e0o th\u00e1ng tr\u01b0\u1edbc. CVE-2022-30136 c\u00f3 th\u1ec3 cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng t\u1eeb xa th\u1ef1c thi m\u00e3 \u0111\u1eb7c quy\u1ec1n tr\u00ean c\u00e1c h\u1ec7 th\u1ed1ng b\u1ecb \u1ea3nh h\u01b0\u1edfng \u0111ang ch\u1ea1y NFS. Nh\u00ecn b\u1ec1 ngo\u00e0i, \u0111i\u1ec3m kh\u00e1c bi\u1ec7t duy nh\u1ea5t gi\u1eefa c\u00e1c b\u1ea3n v\u00e1 l\u00e0 b\u1ea3n c\u1eadp nh\u1eadt th\u00e1ng n\u00e0y s\u1eeda l\u1ed7i trong NFSV4.1, trong khi l\u1ed7i c\u1ee7a th\u00e1ng tr\u01b0\u1edbc ch\u1ec9 \u1ea3nh h\u01b0\u1edfng \u0111\u1ebfn c\u00e1c phi\u00ean b\u1ea3n NSFV2.0 v\u00e0 NSFV3.0. Kh\u00f4ng r\u00f5 \u0111\u00e2y l\u00e0 m\u1ed9t bi\u1ebfn th\u1ec3 hay h\u1ec7 qu\u1ea3 c\u1ee7a m\u1ed9t b\u1ea3n v\u00e1 l\u1ed7i hay l\u00e0 m\u1ed9t s\u1ef1 c\u1ed1 ho\u00e0n to\u00e0n m\u1edbi. D\u00f9 v\u1eady, c\u00e1c doanh nghi\u1ec7p \u0111ang ch\u1ea1y NFS n\u00ean \u01b0u ti\u00ean th\u1eed nghi\u1ec7m v\u00e0 tri\u1ec3n khai b\u1ea3n v\u00e1 cho l\u1ed7i n\u00e0y.<\/p>\n
Giao th\u1ee9c h\u1ec7 th\u1ed1ng t\u1ec7p m\u1ea1ng NFS ban \u0111\u1ea7u \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n b\u1edfi Sun Microsystems v\u00e0o n\u0103m 1984, n\u00f3 cho ph\u00e9p ng\u01b0\u1eddi d\u00f9ng truy c\u1eadp chia s\u1ebb t\u1ec7p t\u1eeb xa gi\u1ed1ng nh\u01b0 c\u00e1ch m\u00e0 h\u1ec7 th\u1ed1ng t\u1ec7p c\u1ee5c b\u1ed9 \u0111\u01b0\u1ee3c truy c\u1eadp.<\/p>\n
Giao th\u1ee9c NFS s\u1eed d\u1ee5ng Open Network Computing (ONC) Remote Procedure Call (RPC) \u0111\u1ec3 trao \u0111\u1ed5i c\u00e1c th\u00f4ng \u0111i\u1ec7p \u0111i\u1ec1u khi\u1ec3n. Khi c\u00e1c b\u1ea3n tin ONC RPC \u0111\u01b0\u1ee3c g\u1eedi qua TCP, m\u1ed9t c\u1ea5u tr\u00fac ti\u00eau \u0111\u1ec1 Fragment \u0111\u01b0\u1ee3c th\u00eam v\u00e0o tr\u01b0\u1edbc \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh \u0111\u1ed9 d\u00e0i c\u1ee7a t\u1ec7p tin. Th\u00f4ng tin n\u00e0y s\u1ebd \u0111\u01b0\u1ee3c b\u00ean nh\u1eadn s\u1eed d\u1ee5ng \u0111\u1ec3 ph\u00e2n bi\u1ec7t nhi\u1ec1u t\u1ec7p tin \u0111\u01b0\u1ee3c g\u1eedi qua m\u1ed9t phi\u00ean TCP duy nh\u1ea5t.<\/p>\n
Theo c\u00e1c nh\u00e0 nghi\u00ean c\u1ee9u c\u1ee7a Trend Micro, \u201cL\u1ed7 h\u1ed5ng tr\u00e0n b\u1ed9 \u0111\u1ec7m t\u1ed3n t\u1ea1i trong b\u1ea3n tri\u1ec3n khai NFS c\u1ee7a Windows. L\u1ed7 h\u1ed5ng n\u00e0y l\u00e0 do t\u00ednh to\u00e1n sai k\u00edch th\u01b0\u1edbc c\u1ee7a c\u00e1c th\u00f4ng b\u00e1o ph\u1ea3n h\u1ed3i. M\u00e1y ch\u1ee7 g\u1ecdi h\u00e0m Nfs4SvrXdrpGetEncodeOperationResultByteCount () \u0111\u1ec3 t\u00ednh to\u00e1n k\u00edch th\u01b0\u1edbc c\u1ee7a m\u1ed7i ph\u1ea3n h\u1ed3i \u201copcode\u201d nh\u01b0ng l\u1ea1i kh\u00f4ng bao g\u1ed3m k\u00edch th\u01b0\u1edbc c\u1ee7a ch\u00ednh opcode. \u0110i\u1ec1u n\u00e0y d\u1eabn \u0111\u1ebfn k\u00edch th\u01b0\u1edbc c\u1ee7a b\u1ed9 \u0111\u1ec7m ph\u1ea3n h\u1ed3i qu\u00e1 nh\u1ecf. M\u1ed9t b\u1ed9 \u0111\u1ec7m t\u01b0\u01a1ng \u1ee9ng \u0111\u01b0\u1ee3c c\u1ea5p ph\u00e1t v\u1edbi OncRpcBufMgrpAllocate. Khi d\u1eef li\u1ec7u ph\u1ea3n h\u1ed3i \u0111\u01b0\u1ee3c ghi v\u00e0o b\u1ed9 \u0111\u1ec7m, d\u1eef li\u1ec7u ph\u1ea3n h\u1ed3i s\u1ebd tr\u00e0n”.<\/p>\n
C\u00e1c chuy\u00ean gia ch\u1ec9 ra r\u1eb1ng ch\u1ec9 c\u00f3 NFS phi\u00ean b\u1ea3n 4 l\u00e0 t\u1ed3n t\u1ea1i l\u1ed7 h\u1ed5ng v\u00ec n\u00f3 s\u1eed d\u1ee5ng ch\u1ee9c n\u0103ng OncRpcBufMgrpAllocate.<\/p>\n
\u201cL\u1ed7i n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c Microsoft v\u00e1 v\u00e0o th\u00e1ng 6 n\u0103m 2022 v\u00e0 \u0111\u01b0\u1ee3c g\u00e1n m\u00e3 \u0111\u1ecbnh danh CVE-2022-30136. Trong b\u00e0i vi\u1ebft c\u1ee7a m\u00ecnh, h\u00e3ng c\u0169ng li\u1ec7t k\u00ea vi\u1ec7c v\u00f4 hi\u1ec7u h\u00f3a NFSv4.1 nh\u01b0 m\u1ed9t ph\u01b0\u01a1ng ph\u00e1p \u0111\u1ec3 gi\u1ea3m thi\u1ec3u c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng. Tuy nhi\u00ean, \u0111i\u1ec1u n\u00e0y c\u00f3 th\u1ec3 d\u1eabn \u0111\u1ebfn m\u1ea5t ch\u1ee9c n\u0103ng. Ngo\u00e0i ra, Microsoft l\u01b0u \u00fd r\u1eb1ng b\u1ea3n c\u1eadp nh\u1eadt \u0111\u1ec3 gi\u1ea3i quy\u1ebft l\u1ed7i n\u00e0y kh\u00f4ng n\u00ean \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng tr\u1eeb khi b\u1ea3n s\u1eeda l\u1ed7i cho CVE-2022-26937 \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t. \u00c1p d\u1ee5ng c\u1ea3 hai b\u1ea3n c\u1eadp nh\u1eadt theo th\u1ee9 t\u1ef1 th\u00edch h\u1ee3p l\u00e0 ph\u01b0\u01a1ng ph\u00e1p t\u1ed1t nh\u1ea5t \u0111\u1ec3 gi\u1ea3i quy\u1ebft \u0111\u1ea7y \u0111\u1ee7 c\u00e1c l\u1ed7 h\u1ed5ng n\u00e0y\u201d.<\/p>\n