Ezinsukwini ezimbalwa ezedluleukukhishwa kwezinguqulo ezintsha zokulungisa ze-DNS BIND kukhishwe wamagatsha azinzile i-9.11.31 ne-9.16.15 futhi futhi ekwakhiweni kwamagatsha okuhlola i-9.17.12, lena iseva ye-DNS esetshenziswa kakhulu kwi-Intanethi futhi isetshenziswa kakhulu ezinhlelweni ze-Unix, lapho kuyindlela ejwayelekile futhi ixhaswe yi-Internet Systems Consortium.
Ekushicilelweni kwezinguqulo ezintsha kushiwo ukuthi inhloso enkulu ukulungisa ukukhubazeka okuthathu, enye yazo (i-CVE-2021-25216) ebangela ukugcwala kwe-buffer.
Kushiwo ukuthi ezinhlelweni ezingama-32-bit, ukuba sengozini kungasetshenziswa ukwenza kude ikhodi lokho kwaklanyelwe ngumhlaseli ngokuthumela isicelo esenziwe ngobuciko se-GSS-TSIG, kanti ngezinhlelo ezingama-64-bit, inkinga ikhawulelwe ekuvimbeleni inqubo eqanjwe igama.
Inkinga kubonakala kuphela uma inqubo ye-GSS-TSIG inikwe amandla, esebenza nge-tkey-gssapi-keytab ne-tkey-gssapi-credential izilungiselelo. I-GSS-TSIG ikhutshazwe ngokuzenzakalela futhi isetshenziswa kakhulu ezindaweni ezixubekile lapho i-BIND ihlanganiswe nabalawuli besizinda se-Active Directory noma uma ihlanganiswe ne-Samba.
Ukuba sengozini kungenxa yephutha ekusetshenzisweni kwe-GSSAPI Negotiation Mechanism Ilula futhi ivikelekile (i-SPNEGO), esetshenziswa yi-GSSAPI ukuxoxisana ngezindlela zokuvikela ezisetshenziswa yiklayenti neseva. I-GSSAPI isetshenziswa njengephrothokholi esezingeni eliphakeme yokushintshanisa ukhiye ovikelekile kusetshenziswa isandiso se-GSS-TSIG, esisetshenziselwa ukugunyaza izibuyekezo ezinamandla ezindaweni ze-DNS.
Amaseva we-BIND asengozini uma esebenzisa inguqulo ethintekile futhi elungiselelwe ukusebenzisa imisebenzi ye-GSS-TSIG. Ekucushweni okusebenzisa ukumiswa okuzenzakalelayo kwe-BIND, indlela yekhodi esengozini ayivezwanga, kepha iseva ingenziwa sengozini ngokubeka ngokusobala amanani wezinketho zokumiswa kwe-tkey-gssapi-keytabo tkey-gssapi-credential.
Yize ukumiswa kokuzenzakalelayo kungasengozini, i-GSS-TSIG isetshenziswa kakhulu kumanethiwekhi lapho i-BIND ihlanganiswe khona ne-Samba, kanye nasezindaweni ezixubile zeseva ezihlanganisa amaseva we-BIND nabaqondisi besizinda se-Active Directory. Kumaseva ahlangabezana nale mibandela, ukuqaliswa kwe-ISC SPNEGO kusengozini ekuhlaselweni okuhlukahlukene, ngokuya ngokwakhiwa kwe-CPU okwakhelwe i-BIND:
Njengoba ukuthinteka okubucayi ekusetshenzisweni kwangaphakathi kwe-SPNEGO kutholakele nangaphambilini, ukuqaliswa kwale protocol kuyasuswa kusisekelo sekhodi se-BIND 9. Kubasebenzisi abadinga ukusekela i-SPNEGO, kunconywa ukuthi kusetshenziswe uhlelo lwangaphandle olunikezwe umtapo wezincwadi kusuka ku-GSSAPI system (itholakala ku-MIT Kerberos naseHeimdal Kerberos).
Ngokuqondene nobunye ubungozi ezaxazululwa ngokukhishwa kwale nguqulo entsha yokulungisa, kushiwo okulandelayo:
- I-CVE-2021-25215: Inqubo eqanjiwe ilenga lapho kucutshungulwa amarekhodi e-DNAME (amanye ama-subdomain acubungula ukuqondiswa kabusha), okuholela ekwengezeni izimpinda kusigaba se-ANSWER. Ukusizakala ukuba sengozini kumaseva we-DNS onegunya, kudingeka izinguquko ukucubungula izindawo ze-DNS, kanye nezinsizakalo eziphindayo, irekhodi elinenkinga lingatholakala ngemuva kokuxhumana neseva egunyaziwe.
- I-CVE-2021-25214: Inqubo eqanjwe ukuvimba lapho kucubungulwa isicelo se-IXFR esenziwe ngokukhethekile (esisetshenziselwa ukudluliswa okwengeziwe kwezinguquko ezindaweni ze-DNS phakathi kwamaseva we-DNS). Amasistimu kuphela avumele ukudluliswa kwendawo ye-DNS kusuka kuseva yabahlaseli okuthintwa yinkinga (ukudluliselwa kwendawo kuvame ukusetshenziselwa ukuvumelanisa amaseva we-master ne-slave futhi kuvunyelwe ngokukhetha kuphela amaseva athembekile). Njengendawo yokusebenza, ungakhubaza ukwesekwa kwe-IXFR ngesilungiselelo se- "request-ixfr no".
Abasebenzisi bezinguqulo zangaphambilini ze-BIND, njengesisombululo sokuvimba inkinga, bangakhubaza i-GSS-TSIG ukusetha noma ukwakha kabusha Bopha ngaphandle kokuxhaswa kwe-SPNEGO.
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nokukhishwa kwalezi zinguqulo ezintsha zokulungisa noma ngobungozi obulungisiwe, ungabheka imininingwane ngokuya kusixhumanisi esilandelayo.