Ulwazi malunga ichonge ubuthathaka obu-7 kwiphakheji ye-Dnsmasq, edibanisa isisombululo esigciniweyo se-DNS kunye neseva ye-DHCP, eyabelwa igama lefayile DNSpooq. Ingxakis vumela uhlaselo lwenqolobane ye-DNS okanye i-buffer overflow oko kunokukhokelela ekuphunyezweni okukude kwekhowudi yomhlaseli.
Nangona kutshanje I-Dnsmasq ayisasetyenziswanga ngokungagungqiyo njengesombululi kusasazo oluqhelekileyo lweLinux, isasetyenziswa kwi-Android kunye nolwabiwo olukhethekileyo olufana ne-OpenWrt kunye ne-DD-WRT, kunye ne-firmware yee-wireless routers ezivela kubavelisi abaninzi. Kulwabiwo oluqhelekileyo, ukusetyenziswa ngokungagungqiyo kwe-dnsmasq kunokwenzeka, umzekelo xa usebenzisa i-libvirt, ingaqaliswa ukubonelela ngenkonzo ye-DNS koomatshini abanyanzelekileyo okanye inokusebenza ngokutshintsha useto kwisilungisi seNetworkManager.
Ukusukela ukuba inkcubeko yokuphucula i-wireless ishiya okuninzi okunqwenelekayo, Abaphandi boyika ukuba iingxaki ezichongiweyo zihlala zingasonjululwanga ixesha elide kwaye ziya kubandakanyeka kuhlaselo oluzenzekelayo kwii-routers ukufumana ulawulo phezu kwazo okanye ukuhambisa abasebenzisi kwiindawo ezinobungozi.
Kukho malunga neenkampani ezingama-40 ezisekwe kwi-Dnsmasq, kubandakanya iCisco, Comcast, Netgear, Ubiquiti, Nokia, Arista, Technicolor, Aruba, Wind River, Asus, AT&T, D-Link, Huawei, Juniper, Motorola, Synology, Xiaomi, ZTE, kunye neZyxel. Abasebenzisi bezi zixhobo banokulunyukiswa ukuba bangasebenzisi inkonzo yesiqhelo yokubuza imibuzo nge-DNS.
Inxalenye yokuqala yokuba semngciphekweni ifunyenwe eDnsmasq ibhekisa kukhuselo kuhlaselo lwetyhefu lwe-DNS, isekwe kwindlela ecetywayo ngo-2008 nguDan Kaminsky.
Imiba echongiweyo yenza ukhuseleko esele lukhona lungasebenzi kwaye vumela ukutshabalalisa idilesi ye-IP yommandla wokungena kwindawo efihlakeleyo. Indlela kaKaminsky yokulawula ubungakanani obungenakubalwa kumhlaba we-ID yombuzo we-DNS, ophela li-16 bits.
Ukufumana isazisi esichanekileyo esifunekayo sokuphamba igama lenginginya, thumela nje malunga nezicelo ezingama-7.000 kwaye ulingise malunga neempendulo ezili-140.000. Uhlaselo lubila ekuthumeleni inani elikhulu leepakethi eziboshwe nge-IP kwisisombululo se-DNS ngezichongi zentengiselwano ezahlukeneyo ze-DNS.
Ukuchongwa komngcipheko kunciphisa inqanaba le-32-bit entropy kulindeleke ukuba kufuneka uqashele iibits ezili-19, ezenza uhlaselo lwetyhefu efihlakeleyo lube yinyani. Ukongeza, ukuphathwa kwe-dnsmasq yeerekhodi ze-CNAME kuyivumela ukuba ichithe ikhonkco leerekhodi zeCNAME ekusebenziseni ngokufanelekileyo ukuya kuthi ga kwiirekhodi ezili-9 ze-DNS ngexesha.
- I-CVE-2020-25684: ukunqongophala kokuqinisekiswa kwesazisi sesicelo ngokudibeneyo nedilesi ye-IP kunye nenombolo yezibuko xa kusenziwa iimpendulo ze-DNS kwiiseva zangaphandle. Oku kuziphatha akuhambelani ne-RFC-5452, efuna isongezelelo sesicelo esiza kusetyenziswa xa kuthelekiswa impendulo.
- I-CVE-2020-25686: Ukunqongophala kokuqinisekiswa kwezicelo ezilindelweyo ngegama elifanayo, ukuvumela ukusetyenziswa kwendlela yokuzalwa ukunciphisa kakhulu inani lemizamo efunekayo yokwenza impendulo. Ngokudityaniswa nobungozi be-CVE-2020-25684, eli nqaku linokunciphisa ngokubonakalayo ubunzima bokuhlaselwa.
- I-CVE-2020-25685: ukusetyenziswa kwe-CRC32 hashing algorithm xa uqinisekisa iimpendulo, kwimeko yokuhlanganiswa ngaphandle kwe-DNSSEC (i-SHA-1 isetyenziswa kunye ne-DNSSEC). Ukuba semngciphekweni kunokusetyenziselwa ukunciphisa kakhulu inani leenzame ngokukuvumela ukuba uxhaphaze imimandla ene-CRC32 hash efanayo ne-domain ekujoliswe kuyo.
- Iseti yesibini yeengxaki (i-CVE-2020-25681, i-CVE-2020-25682, i-CVE-2020-25683, kunye ne-CVE-2020-25687) ibangelwa ziimpazamo ezibangela ukugcwala kwempazamo xa kusenziwa idatha ethile yangaphandle.
- Ngobungozi be-CVE-2020-25681 kunye ne-CVE-2020-25682, kunokwenzeka ukudala ukuxhaphaza okunokukhokelela ekuphunyezweni kwekhowudi kwinkqubo.
Okokugqibela kuyakhankanywa ukuba Ukuba semngciphekweni kulungisiwe kuhlaziyo lwe-Dnsmasq 2.83 Kwaye njengokusebenza, kuyacetyiswa ukuba ukhubaze i-DNSSEC kunye nokubuza i-caching usebenzisa ukhetho lomgca wokuyalela.
Umthombo: https://kb.cert.org