Kwiintsuku ezininzi ezidlulileyoUkukhululwa kweenguqulelo ezintsha ze-DNS BIND zakhutshwa yamasebe azinzileyo i-9.11.31 kunye ne-9.16.15 kwaye ikwophuhliso lwamasebe okulinga i-9.17.12, le yeyona seva i-DNS isetyenziswa kakhulu kwi-Intanethi kwaye isetyenziswa ikakhulu kwiinkqubo ze-Unix, apho isemgangathweni kwaye ixhaswe yiInternet Systems Consortium.
Kupapasho lweenguqulelo ezintsha, kukhankanyiwe ukuba eyona njongo iphambili kukulungisa ukungakhuseleki okuthathu, enye yazo (i-CVE-2021-25216) ebangela ukuba isikhukula siphuphume.
Kukhankanyiwe ukuba kwiinkqubo ezingama-32, Ukuba sesichengeni kunokuxhaphaza ukwenza ikhowudi ukude eyilelwe ngumhlaseli ngokuthumela isicelo esenziwe ngokukodwa se-GSS-TSIG, ngelixa iinkqubo ezingama-64-bit, ingxaki ikhawulelwe ekuthinteleni inkqubo ekhankanyiweyo.
Ingxaki Ibonakala kuphela xa indlela ye-GSS-TSIG yenziwe, elenziwa lasebenza yi-tkey-gssapi-keytab kunye nocwangciso lwe-tkey-gssapi-credential. I-GSS-TSIG ikhubazekile ngokungagqibekanga kwaye isetyenziswa ngokubanzi kwiindawo ezixubeneyo apho i-BIND idityaniswe nabalawuli besizinda esisebenzayo okanye xa idityaniswe neSamba.
Ukuba semngciphekweni kungenxa yempazamo ekuphunyezweni kwe-GSSAPI Negotiation Mechanism Ilula kwaye ikhuselekile (i-SPNEGO), ethi isetyenziswe yi-GSSAPI ukuthetha-thethana ngeendlela zokukhusela ezisetyenziswa ngumthengi kunye neseva. I-GSSAPI isetyenziswa njengeprotocol yenqanaba eliphezulu yotshintshiselwano oluphambili olukhuselekileyo kusetyenziswa ulwandiso lwe-GSS-TSIG, olusetyenziselwa ukungqinisisa uhlaziyo olunamandla kwimimandla ye-DNS.
BONISA iiseva ukuba zisengozini ukuba ziqhuba ingxelo echaphazelekayo kwaye zilungiselelwe ukusebenzisa imisebenzi ye-GSS-TSIG. Kuqwalaselo olusebenzisa ubumbeko olungagqibekanga lwe-BIND, indlela yekhowudi esesichengeni ayivelwanga, kodwa iseva inokwenziwa ibe sesichengeni ngokubeka ngokucacileyo amaxabiso okhetho lokumisela i-tkey-gssapi-keytabo tkey-gssapi-credential.
Nangona ukucwangciswa okungagqibekanga kungakhuselekanga, i-GSS-TSIG isetyenziswa rhoqo kuthungelwano apho i-BIND idityaniswe ne-Samba, kunye nakwiindawo ezixubeneyo zeseva ezidibanisa iiseva ze-BIND kunye nabalawuli besizinda esisebenzayo. Iiseva ezihlangabezana nale miqathango, ukuphunyezwa kwe-ISC SPNEGO kusesichengeni kuhlaselo olwahlukeneyo, kuxhomekeke kuyilo lwe-CPU eyakhelwe i-BIND:
Ukusukela ekubeni semngciphekweni omkhulu ekuphunyezweni kwe-SPNEGO yangaphakathi nangaphambili, ukuphunyezwa kwale protocol kususwe kwisiseko sekhowudi ye-BIND 9. Kubasebenzisi abafuna ukuxhasa i-SPNEGO, kuyacetyiswa ukuba kusetyenziswe isicelo sangaphandle esibonelelwa lilayibrari evela kwi-GSSAPI Inkqubo (efumaneka kwi-MIT Kerberos kunye neHeimdal Kerberos).
Ngokubhekisele kwezinye izinto ezibuthathaka ezisonjululwe ngokukhutshwa kwale nguqulo intsha, oku kulandelayo kuyakhankanywa:
- I-CVE-2021-25215: Inkqubo enikwe igama ixhonyiwe xa kusenziwa iirekhodi ze-DNAME (ezinye iidomain ziqhubekeka zilungiswa), ekhokelela ekongezeni iikopi eziphindiweyo kwicandelo le-ANSWER. Ukuxhaphaza ukuba semngciphekweni kweeseva ezigunyazisiweyo ze-DNS, utshintsho luyafuneka ekusetyenzisweni kwemimandla ye-DNS, kunye nakwiiseva eziphindaphindayo, irekhodi elinengxaki linokufunyanwa emva kokunxibelelana neseva enegunya.
- I-CVE-2021-25214: Inkqubo ebizwa ngokuba ngumqobo xa kusenziwa isicelo se-IXFR esenziwe ngokukodwa (esisetyenziselwa ukonyusa utshintsho kwimimandla ye-DNS phakathi kweeseva ze-DNS). Kuphela ziisistim ezivumele ukuhanjiswa kwe-DNS kumda womhlaseli ochaphazeleka yingxaki (ugqithiso lommandla luqhele ukusetyenziswa ukuvumelanisa iiseva kunye nekhoboka kwaye zivunyelwe kuphela kwiiseva ezithembakeleyo). Njengokusebenza, unokukhubaza inkxaso ye-IXFR ngokuseta "isicelo-ixfr hayi".
Abasebenzisi beenguqulelo zangaphambili ze-BIND, njengesisombululo sokuthintela ingxaki, banokukhubaza i-GSS-TSIG ukuseta okanye ukwakha kwakhona Bopha ngaphandle kwenkxaso ye-SPNEGO.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nokukhutshwa kwezi nguqulelo zintsha zokulungisa okanye malunga nobungozi obulungisiweyo, unokujonga iinkcukacha ngokuya kule khonkco ilandelayo.