Kwanaki da yawa da suka gabataAn fito da sabbin nau'ikan gyare-gyare na DNS BIND daga cikin barga rassan 9.11.31 da 9.16.15 kuma yana cikin ci gaban rassan gwaji 9.17.12, wannan shi ne uwar garken DNS da aka fi amfani da shi a Intanet kuma musamman ana amfani da shi akan tsarin Unix, wanda a cikinsa ya zama misali kuma Ƙungiyoyin Ƙungiyoyin Ƙididdiga na Intanet ne ke ɗaukar nauyin.
A cikin fitowar sabbin nau'ikan, an ambaci cewa babban abin da ake nufi shi ne a gyara lahani guda uku. daya daga cikinsu (CVE-2021-25216) yana haifar da cikar buffer.
An ambaci cewa akan tsarin 32-bit, za a iya amfani da rashin lafiyar don aiwatar da lamba daga nesa wanda maharin ya tsara shi ta hanyar aika buƙatun GSS-TSIG na musamman, yayin da tsarin 64-bit, matsalar ta iyakance ga toshe tsarin mai suna.
Matsalar yana bayyana kanta kawai lokacin da aka kunna tsarin GSS-TSIG, wanda aka kunna ta hanyar tkey-gssapi-keytab da tkey-gssapi-credential settings. GSS-TSIG an kashe shi ta tsohuwa kuma ana amfani dashi gabaɗaya a gauraye masu gauraya inda aka haɗa BIND tare da masu kula da yankin Active Directory ko lokacin da aka haɗa shi da Samba.
Rashin lahani ya faru ne saboda kuskure a aiwatar da Tsarin Tattaunawar GSSAPI Sauƙi da Amintacce (SPNEGO), wanda GSSAPI ke amfani da shi don yin shawarwarin hanyoyin kariya da abokin ciniki da uwar garken ke amfani da su. Ana amfani da GSSAPI azaman ƙaƙƙarfan yarjejeniya don amintaccen maɓalli ta amfani da tsawo na GSS-TSIG, wanda ake amfani da shi don tabbatar da ɗaukakawa masu ƙarfi a cikin yankuna na DNS.
Sabbin BIND suna da rauni idan suna gudanar da sigar da abin ya shafa kuma an saita su don amfani da ayyukan GSS-TSIG. A cikin saitin da ke amfani da tsayayyen tsarin BIND, hanyar lambar mara ƙarfi ba ta fallasa, amma ana iya sanya uwar garken ta zama mai rauni ta hanyar saita dabi'u a sarari don zaɓin daidaitawar tkey-gssapi-keytabo tkey-gssapi-credential.
Kodayake tsarin tsoho ba shi da lahani, ana amfani da GSS-TSIG akai-akai a cikin cibiyoyin sadarwa inda aka haɗa BIND tare da Samba, da kuma a cikin mahallin uwar garken gauraya waɗanda ke haɗa sabobin BIND tare da masu kula da yankin Active Directory. Don sabobin da suka cika waɗannan sharuɗɗan, aiwatar da ISC SPNEGO yana da rauni ga hare-hare daban-daban, dangane da gine-ginen CPU wanda aka gina BIND don shi:
Tun da rashin lahani mai mahimmanci a cikin aiwatar da SPNEGO na ciki da aka samo kuma a baya, an cire aiwatar da wannan yarjejeniya daga tushe na lambar BIND 9. Ga masu amfani da ke buƙatar tallafawa SPNEGO, ana ba da shawarar yin amfani da aikace-aikacen waje wanda ɗakin karatu ya bayar daga GSSAPI. tsarin (samuwa daga MIT Kerberos da Heimdal Kerberos).
Amma ga sauran raunin biyun waɗanda aka warware tare da sakin wannan sabon sigar gyara, an ambaci waɗannan:
- BAKU-2021-25215: Tsari mai suna yana rataye yayin sarrafa bayanan DNAME (wasu yanki na sarrafa juzu'i), yana haifar da ƙarin kwafi zuwa sashin AMSA. Don yin amfani da rauni a cikin sabar DNS masu iko, ana buƙatar canje-canje don sarrafa shiyyoyin DNS, kuma don sabar masu maimaitawa, ana iya samun rikodin matsala bayan tuntuɓar sabar mai iko.
- BAKU-2021-25214: Katange tsari mai suna lokacin aiwatar da buƙatun IXFR mai shigowa na musamman (an yi amfani da shi don haɓaka canjin canje-canje a cikin yankuna na DNS tsakanin sabar DNS). Tsarukan da suka ba da izinin canja wurin yankin DNS daga uwar garken maharin ne kawai matsalar ta shafa (ana amfani da canja wurin yanki don aiki tare da manyan sabar da bawa kuma ana ba da izini ne kawai don amintattun sabar). A matsayin tsarin aiki, zaku iya musaki tallafin IXFR tare da saitin "request-ixfr no".
Masu amfani da nau'ikan BIND na baya, a matsayin mafita don toshe matsalar, na iya kashe GSS-TSIG a saitin ko sake gina BIND ba tare da tallafin SPNEGO ba.
Finalmente idan kuna sha'awar ƙarin sani game da shi game da sakin waɗannan sabbin sigogin gyara ko game da raunin da aka gyara, zaku iya bincika cikakkun bayanai ta hanyar zuwa mahaɗin mai zuwa.