Lits'oants'o tse ncha tsa DNS BIND li sebetsana le ts'oaetso ea ts'ebetso ea khoutu e hole

Matsatsi a 'maloa a fetilengHo lokolloa liphetolelo tse ncha tsa tokiso tsa DNS BIND ho ile ha lokolloa ea makala a tsitsitseng 9.11.31 le 9.16.15 hape e nts'etsopele ea makala a liteko 9.17.12, ena ke seva ea DNS e sebelisoang haholo marang-rang mme e sebelisoa haholo ho li-system tsa Unix, moo e leng e tšehelitsoe ke Internet Systems Consortium.

Ha ho phatlalatsoa mefuta e mecha, ho boletsoe hore sepheo se seholo ke ho lokisa likotsi tse tharo, e 'ngoe ea tsona (CVE-2021-25216) e baka ho khaphatseha ha buffer.

Ho boleloa hore ho li-system tsa 32-bit, ts'oaetso e ka sebelisoa hampe ho phetha khoutu hole e neng e entsoe ke motho ea hlaselang ka ho romela kopo e ikhethileng ea GSS-TSIG, athe bakeng sa lits'ebetso tse 64-bit, bothata bo lekanyelitsoe ho thibeleng ts'ebetso e boletsoeng.

Bothata e itlhahisa feela ha mochini oa GSS-TSIG o lumelloa, e kentsoeng tšebetsong ke tkey-gssapi-keytab le li-setting tsa tkey-gssapi-credential. GSS-TSIG e holofalitsoe ka boikhethelo mme e sebelisoa ka mokhoa o fapaneng libakeng tse tsoakaneng moo BIND e kopantsoeng le li-domain Directory tsa balaoli kapa ha e kopantsoe le Samba.

Bofokoli bo bakoa ke phoso ea ho kenya tšebetsong Leano la Lipuisano la GSSAPI E bonolo ebile e sireletsehile (SPNEGO), eo GSSAPI ee sebelisang ho buisana ka mekhoa ea ts'ireletso e sebelisoang ke moreki le seva. GSSAPI e sebelisoa e le protocol ea boemo bo holimo bakeng sa phapanyetsano ea senotlolo se sireletsehileng ho sebelisoa katoloso ea GSS-TSIG, e sebelisetsoang ho netefatsa lintlafatso tse matla libakeng tsa DNS.

Lisebelisoa tsa BIND li kotsing haeba li sebelisa mofuta o amehileng mme li hlophiselitsoe ho sebelisa mesebetsi ea GSS-TSIG. Ka tlhophiso e sebelisang phetolo e ikhethileng ea BIND, tsela ea khoutu e tlokotsing ha e hlahe, empa seva e ka etsoa tlokotsing ka ho hlaka ka ho hlaka litekanyetso tsa likhetho tsa tkey-gssapi-keytabo tkey-gssapi-credential.

Le ha phetisetso ea kamehla e se tlokotsing, GSS-TSIG e sebelisoa khafetsa marang-rang moo BIND e kopantsoeng le Samba, hammoho le libakeng tse tsoakiloeng tsa seva tse kopanyang li-server tsa BIND le li-domain tsa Active Directory. Bakeng sa li-server tse fihlelang maemo ana, ts'ebetsong ea ISC SPNEGO e kotsing ea litlhaselo tse fapaneng, ho latela sebopeho sa CPU seo BIND e hahiloeng ka sona:

Kaha bofokoli bo matla ts'ebetsong ea ka hare ea SPNEGO bo fumanoe le pejana, ts'ebetsong ea protocol ena e tlosoa motheong oa khoutu ea BIND 9. Bakeng sa basebelisi ba hlokang ho ts'ehetsa SPNEGO, ho kgothaletswa ho sebelisa ts'ebeliso ea kantle e fanoeng ke laeborari ho tsoa GSSAPI system (e fumanehang ho tsoa ho MIT Kerberos le Heimdal Kerberos).

Ha e le likotsi tse ling tse peli tse rarollotsoeng ka tokollo ea mofuta ona o mocha oa tokiso, ho boletsoe tse latelang:

  • CVE-2021-25215: Ts'ebetso e rehiloeng lebitso e leketlile ha ho sebetsoa lirekoto tsa DNAME (li-subdomains tse ling li ntse li sebetsana le redirection), tse lebisang ho eketsoa ha mafahla karolong ea ANSWER. Ho sebelisa monyetla oa ho ba tlokotsing ho li-server tse nang le matla tsa DNS, ho hlokahala liphetoho libakeng tse sebetsitsoeng tsa DNS, le bakeng sa li-server tse iphetang, rekoto e nang le bothata e ka fumanoa kamora ho ikopanya le seva e nang le matla.
  • CVE-2021-25214: Ts'ebetso e rehiloeng e thibela ha ho sebetsoa kopo e ikhethileng e kenang ea IXFR (e sebelisetsoang phetiso e eketsehang ea libaka libakeng tsa DNS lipakeng tsa li-server tsa DNS). Ke lits'ebetso feela tse lumelletseng phetisetso ea libaka tsa DNS ho tsoa ho seva sa mohlaseli e angoa ke bothata (phetisetso ea libaka hangata e sebelisetsoa ho hokahanya li-server le makhoba 'me e lumelloa feela bakeng sa li-server tse tšeptjoang). Ha o ntse o sebetsa, o ka tima ts'ehetso ea IXFR ka setlhopha sa "kopo-ixfr no".

Basebelisi ba mefuta e fetileng ea BIND, e le tharollo ea ho thibela bothata, ba ka thibela GSS-TSIG ho seta kapa ho aha bocha ntle le tšehetso ea SPNEGO

Qetellong haeba u rata ho tseba haholoanyane ka eona mabapi le ho lokolloa ha mefuta ena e mecha ea ho lokisa kapa ka bofokoli bo hlophisitsoeng, o ka sheba lintlha ka ho ea sehokela se latelang.


Litaba tsa sengoloa sena li latela melao-motheo ea rona ea melao ea boitšoaro ea bongoli. Ho tlaleha phoso tlanya mona.

E-ba oa pele ho fana ka maikutlo

Siea maikutlo a hau

aterese ya hao ya imeile ke ke ho phatlalatswa.

*

*

  1. E ikarabella bakeng sa data: Miguel Ángel Gatón
  2. Morero oa data: Laola SPAM, tsamaiso ea maikutlo.
  3. Molao: Tumello ea hau
  4. Puisano ea data: Lintlha li ke ke tsa tsebisoa batho ba boraro ntle le ka tlamo ea molao.
  5. Polokelo ea data: Database e hapiloeng ke Occentus Networks (EU)
  6. Litokelo: Nako efe kapa efe o ka fokotsa, oa hlaphoheloa mme oa hlakola tlhaiso-leseling ea hau.

bool('nete)