Ukuba sengozini okutholakala ku-Dnsmasq kuvunyelwe ukukopisha okuqukethwe kunqolobane ye-DNS

Muva nje, imininingwane mayelana ne- kukhonjwe ubungozi obungu-7 kuphakeji le-Dnsmasq, ehlanganisa isisombululo se-DNS esifakwe kunqolobane neseva ye-DHCP, eyabelwe igama lekhodi le-DNSpooq. Inkingavumela ukuhlaselwa kwe-DNS okunamandla noma ukugcwala kwe-buffer lokho kungaholela ekusebenzeni okukude kwekhodi yomhlaseli.

Noma ngabe muva nje I-Dnsmasq ayisasetshenziswa ngokuzenzakalela njengesixazululo ekusatshalalisweni okujwayelekile kwe-Linux, isasetshenziswa ku-Android nokusabalalisa okukhethekile okufana ne-OpenWrt ne-DD-WRT, kanye ne-firmware yamarutha angenantambo avela kubakhiqizi abaningi. Ekusatshalalisweni okujwayelekile, ukusetshenziswa ngokuphelele kwe-dnsmasq kungenzeka, ngokwesibonelo lapho usebenzisa i-libvirt, kungaqalwa ukuhlinzeka insizakalo ye-DNS kumishini ebonakalayo noma kungenziwa kusebenze ngokushintsha izilungiselelo kusihleli se-NetworkManager.

Njengoba isiko lokuthuthukisa i-wireless wireless lishiya okuningi ongakufisa, Abaphenyi besaba ukuthi izinkinga ezihlonziwe zingahlala zingaxazululwa isikhathi eside futhi sizobandakanyeka ekuhlaselweni okuzenzakalelayo kwama-routers ukuthola amandla phezu kwabo noma ukuqondisa kabusha abasebenzisi kumasayithi anonya.

Kukhona cishe izinkampani ezingama-40 ezisuselwa ku-Dnsmasq, kufaka phakathi iCisco, Comcast, Netgear, Ubiquiti, Siemens, Arista, Technicolor, Aruba, Wind River, Asus, AT & T, D-Link, Huawei, Juniper, Motorola, Synology, Xiaomi, ZTE, neZyxel. Abasebenzisi bamadivayisi anjalo bangaxwayiswa ukuthi bangasebenzisi isevisi yokuqondisa kabusha imibuzo ejwayelekile ye-DNS enikezwe kubo.

Ingxenye yokuqala yobungozi itholwe eDnsmasq isho ukuvikelwa ekuhlaselweni yi-DNS cache poisoning, ngokususelwa kunqubo ehlongozwayo ngo-2008 nguDan Kaminsky.

Izinkinga ezikhonjiwe zenza ukuvikelwa okukhona kungasebenzi bese uvumela ukukhipha ikheli le-IP lesizinda esingaqondakali kunqolobane. Indlela kaKaminsky ilawula usayizi onganakwa wenkambu ye-ID yombuzo we-DNS, okungamabhithi ayi-16 kuphela.

Ukuthola okokuhlonza okulungile okudingekayo ukonakalisa igama lomethuleli, vele uthumele izicelo ezingaba ngu-7.000 bese ulingisa izimpendulo mbumbulu ezingaba ngu-140.000. Lokhu kuhlasela kufinyelela ekuthumeleni inqwaba yamaphakethe angama-IP amanga ku-resolution ye-DNS ngezihlonzi ezihlukile zokuthengiselana ze-DNS.

Ukuba sengozini okukhonjiwe kwehlisa izinga le-32-bit entropy kulindeleke ukuthi kudingeke ukuqagela izingcezu eziyi-19, ezenza ukuhlaselwa ubuthi be-cache kube ngokoqobo impela. Ngokwengeziwe, ukuphatha kwe-dnsmasq kwamarekhodi e-CNAME kukuvumela ukuthi uchithe uchungechunge lwamarekhodi e-CNAME ukuze ususe kahle amarekhodi angama-9 e-DNS ngasikhathi.

  • I-CVE-2020-25684: ukungabikho kokuqinisekiswa kwe-ID yesicelo kuhlanganiswe nekheli le-IP nenombolo ye-port lapho kucubungulwa izimpendulo ze-DNS kusuka kumaseva angaphandle. Lokhu kuziphatha akuhambelani ne-RFC-5452, edinga izimfanelo zesicelo ezingeziwe ezizosetshenziswa lapho kufaniswa impendulo.
  • I-CVE-2020-25686: Ukuntuleka kokuqinisekiswa kwezicelo ezisalindile ezinegama elifanayo, okuvumela ukusetshenziswa kwendlela yokuzalwa ukwehlisa kakhulu inani lemizamo edingekayo yokukhohlisa impendulo. Ngokuhlanganiswa nobungozi be-CVE-2020-25684, lesi sici singakunciphisa kakhulu ubunzima bokuhlaselwa.
  • I-CVE-2020-25685: ukusetshenziswa kwe-CRC32 hashing algorithm engathembekile lapho kuqinisekiswa izimpendulo, uma kwenzeka kuhlanganiswa ngaphandle kwe-DNSSEC (i-SHA-1 isetshenziswa ne-DNSSEC) Ukuba sengozini kungasetshenziselwa ukunciphisa kakhulu inani lemizamo ngokukuvumela ukuthi usebenzise izizinda ezine-CRC32 hash efanayo ne-domain ekhonjiwe.
  • Isethi yesibili yezinkinga (i-CVE-2020-25681, i-CVE-2020-25682, i-CVE-2020-25683, ne-CVE-2020-25687) ibangelwa amaphutha adala ukugcwala kwe-buffer lapho kucubungulwa idatha ethile yangaphandle.
  • Ngobungozi be-CVE-2020-25681 ne-CVE-2020-25682, kungenzeka ukudala ukuxhashazwa okungaholela ekusebenzeni kwekhodi kusistimu.

Ekugcineni kushiwo lokho Ukuba sengozini kubhekwane nakho ku-Dnsmasq update 2.83 futhi njengendawo yokusebenza, kunconywa ukukhubaza i-DNSSEC nokubuza ukulondolozwa kwesikhashana usebenzisa izinketho zomugqa womyalo.

Umthombo: https://kb.cert.org


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.