Ukuvuselelwa okusha kwe-DNS BIND Ikheli le-Remote Code Executionability

Ezinsukwini ezimbalwa ezedluleukukhishwa kwezinguqulo ezintsha zokulungisa ze-DNS BIND kukhishwe wamagatsha azinzile i-9.11.31 ne-9.16.15 futhi futhi ekwakhiweni kwamagatsha okuhlola i-9.17.12, lena iseva ye-DNS esetshenziswa kakhulu kwi-Intanethi futhi isetshenziswa kakhulu ezinhlelweni ze-Unix, lapho kuyindlela ejwayelekile futhi ixhaswe yi-Internet Systems Consortium.

Ekushicilelweni kwezinguqulo ezintsha kushiwo ukuthi inhloso enkulu ukulungisa ukukhubazeka okuthathu, enye yazo (i-CVE-2021-25216) ebangela ukugcwala kwe-buffer.

Kushiwo ukuthi ezinhlelweni ezingama-32-bit, ukuba sengozini kungasetshenziswa ukwenza kude ikhodi lokho kwaklanyelwe ngumhlaseli ngokuthumela isicelo esenziwe ngobuciko se-GSS-TSIG, kanti ngezinhlelo ezingama-64-bit, inkinga ikhawulelwe ekuvimbeleni inqubo eqanjwe igama.

Inkinga kubonakala kuphela uma inqubo ye-GSS-TSIG inikwe amandla, esebenza nge-tkey-gssapi-keytab ne-tkey-gssapi-credential izilungiselelo. I-GSS-TSIG ikhutshazwe ngokuzenzakalela futhi isetshenziswa kakhulu ezindaweni ezixubekile lapho i-BIND ihlanganiswe nabalawuli besizinda se-Active Directory noma uma ihlanganiswe ne-Samba.

Ukuba sengozini kungenxa yephutha ekusetshenzisweni kwe-GSSAPI Negotiation Mechanism Ilula futhi ivikelekile (i-SPNEGO), esetshenziswa yi-GSSAPI ukuxoxisana ngezindlela zokuvikela ezisetshenziswa yiklayenti neseva. I-GSSAPI isetshenziswa njengephrothokholi esezingeni eliphakeme yokushintshanisa ukhiye ovikelekile kusetshenziswa isandiso se-GSS-TSIG, esisetshenziselwa ukugunyaza izibuyekezo ezinamandla ezindaweni ze-DNS.

Amaseva we-BIND asengozini uma esebenzisa inguqulo ethintekile futhi elungiselelwe ukusebenzisa imisebenzi ye-GSS-TSIG. Ekucushweni okusebenzisa ukumiswa okuzenzakalelayo kwe-BIND, indlela yekhodi esengozini ayivezwanga, kepha iseva ingenziwa sengozini ngokubeka ngokusobala amanani wezinketho zokumiswa kwe-tkey-gssapi-keytabo tkey-gssapi-credential.

Yize ukumiswa kokuzenzakalelayo kungasengozini, i-GSS-TSIG isetshenziswa kakhulu kumanethiwekhi lapho i-BIND ihlanganiswe khona ne-Samba, kanye nasezindaweni ezixubile zeseva ezihlanganisa amaseva we-BIND nabaqondisi besizinda se-Active Directory. Kumaseva ahlangabezana nale mibandela, ukuqaliswa kwe-ISC SPNEGO kusengozini ekuhlaselweni okuhlukahlukene, ngokuya ngokwakhiwa kwe-CPU okwakhelwe i-BIND:

Njengoba ukuthinteka okubucayi ekusetshenzisweni kwangaphakathi kwe-SPNEGO kutholakele nangaphambilini, ukuqaliswa kwale protocol kuyasuswa kusisekelo sekhodi se-BIND 9. Kubasebenzisi abadinga ukusekela i-SPNEGO, kunconywa ukuthi kusetshenziswe uhlelo lwangaphandle olunikezwe umtapo wezincwadi kusuka ku-GSSAPI system (itholakala ku-MIT Kerberos naseHeimdal Kerberos).

Ngokuqondene nobunye ubungozi ezaxazululwa ngokukhishwa kwale nguqulo entsha yokulungisa, kushiwo okulandelayo:

  • I-CVE-2021-25215: Inqubo eqanjiwe ilenga lapho kucutshungulwa amarekhodi e-DNAME (amanye ama-subdomain acubungula ukuqondiswa kabusha), okuholela ekwengezeni izimpinda kusigaba se-ANSWER. Ukusizakala ukuba sengozini kumaseva we-DNS onegunya, kudingeka izinguquko ukucubungula izindawo ze-DNS, kanye nezinsizakalo eziphindayo, irekhodi elinenkinga lingatholakala ngemuva kokuxhumana neseva egunyaziwe.
  • I-CVE-2021-25214: Inqubo eqanjwe ukuvimba lapho kucubungulwa isicelo se-IXFR esenziwe ngokukhethekile (esisetshenziselwa ukudluliswa okwengeziwe kwezinguquko ezindaweni ze-DNS phakathi kwamaseva we-DNS). Amasistimu kuphela avumele ukudluliswa kwendawo ye-DNS kusuka kuseva yabahlaseli okuthintwa yinkinga (ukudluliselwa kwendawo kuvame ukusetshenziselwa ukuvumelanisa amaseva we-master ne-slave futhi kuvunyelwe ngokukhetha kuphela amaseva athembekile). Njengendawo yokusebenza, ungakhubaza ukwesekwa kwe-IXFR ngesilungiselelo se- "request-ixfr no".

Abasebenzisi bezinguqulo zangaphambilini ze-BIND, njengesisombululo sokuvimba inkinga, bangakhubaza i-GSS-TSIG ukusetha noma ukwakha kabusha Bopha ngaphandle kokuxhaswa kwe-SPNEGO.

Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nokukhishwa kwalezi zinguqulo ezintsha zokulungisa noma ngobungozi obulungisiwe, ungabheka imininingwane ngokuya kusixhumanisi esilandelayo.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.