Wata ƙungiyar masu bincike daga Jami'ar California, Riverside ta buga sabon bambance-bambancen harin SAD DNS (CVE-2021-20322) wanda ke aiki duk da kariyar da aka ƙara a bara don toshe raunin CVE-2020-25705. Sabuwar hanyar gabaɗaya tayi kama da rashin lafiyar bara kuma ta bambanta kawai a cikin amfani da nau'in fakiti na ICMP na daban don duba tashoshin jiragen ruwa na UDP masu aiki. Harin da aka gabatar yana ba da damar sauya bayanan ƙagaggen bayanai a cikin cache uwar garken DNS, wanda za a iya amfani da shi don maye gurbin adireshin IP na wani yanki na sabani a cikin cache da kuma tura buƙatun zuwa yankin zuwa uwar garken maharin.
Hanyar da aka tsara tana aiki ne kawai a cikin tarin hanyar sadarwa ta Linux saboda haɗinta da keɓancewar tsarin sarrafa fakitin ICMP a cikin Linux, wanda ke aiki azaman tushen ɗigon bayanai wanda ke sauƙaƙe ƙayyadaddun lambar tashar tashar UDP da uwar garken ke amfani da shi don aika da wani abu. bukatar waje. Canje-canjen da ke toshe bayanan bayanan an karɓi su cikin kernel na Linux a ƙarshen Agusta (an haɗa gyara a cikin kernel 5.15 da sabuntawar Satumba ga rassan LTS na kwaya). Gyaran yana tafasa ƙasa don canzawa zuwa amfani da SipHash hashing algorithm a cikin caches na cibiyar sadarwa maimakon Jenkins Hash. Za'a iya kimanta matsayin gyara rashin ƙarfi a cikin rabawa akan waɗannan shafuka: Debian, RHEL, Fedora, SUSE, Ubuntu.
A cewar masu binciken da suka gano matsalar, kusan kashi 38% na masu warware matsalar a kan hanyar sadarwa suna da rauni, gami da shahararrun ayyukan DNS kamar OpenDNS da Quad9 (9.9.9.9). Dangane da software na uwar garken, ana iya kai hari ta hanyar amfani da fakiti kamar BIND, Unbound da dnsmasq akan uwar garken Linux. Matsalar ba ta bayyana akan sabar DNS da ke gudana akan tsarin Windows da BSD. Don samun nasarar kai hari, ya zama dole a yi amfani da spoofing IP, watau. ana buƙatar ISP na maharin kada ya toshe fakiti masu adireshin IP na karya.
A matsayin tunatarwa, harin SAD DNS yana ƙetare kariyar da aka ƙara zuwa sabobin DNS don toshe hanyar guba ta cache na DNS da Dan Kaminsky ya gabatar a cikin 2008. Hanyar Kaminsky tana sarrafa ƙaramin girman filin ID na tambaya na DNS, wanda shine rago 16 kawai. Don zaɓar madaidaicin mai gano ma'amala na DNS wanda ya zama dole don ɓoye sunan mai watsa shiri, ya isa a aika buƙatun kusan 7000 kuma a kwaikwayi kusan amsoshi 140 na almara. Harin ya taso don aika fakiti masu yawa tare da ɗaure IP na almara kuma tare da masu gano ma'amala na DNS daban-daban zuwa mai warwarewar DNS. Don hana caching na martanin farko, kowane martani mai ban mamaki yana ƙunshe da sunan yanki da aka gyara (1.example.com, 2.example.com, 3.example.com, da sauransu).
Don kare kai daga wannan nau'in harin, masana'antun uwar garken DNS sun aiwatar da rarraba bazuwar lambobi na tashoshin sadarwa na tushen inda ake aika buƙatun ƙuduri, waɗanda suka biya diyya ga ƙarancin girman mai ganowa. Bayan aiwatar da kariyar don aika amsa ta gaskiya, ban da zaɓin mai gano 16-bit, ya zama dole a zaɓi ɗaya daga cikin tashar jiragen ruwa 64, wanda ya ƙara yawan zaɓin zaɓi zuwa 2 ^ 32.
Hanyar SAD DNS tana ba ku damar sauƙaƙe ƙayyadaddun ƙayyadaddun lambar tashar tashar yanar gizo da rage harin zuwa hanyar Kaminsky na gargajiya. Mai kai hari zai iya gano damar shiga tashoshin jiragen ruwa na UDP da ba a yi amfani da su ba ta hanyar cin gajiyar bayanan leken asiri game da ayyukan tashar jiragen ruwa lokacin sarrafa fakitin martani na ICMP. Hanyar tana ba mu damar rage yawan zaɓuɓɓukan bincike ta umarni 4 na girma - 2^16+2^16 maimakon 2^32 (131_072 maimakon 4_294_967_296). Zubar da bayanan da ke ba ku damar tantance tashoshin jiragen ruwa na UDP da sauri yana haifar da aibi a cikin lambar don sarrafa fakitin ICMP tare da buƙatun rarrabuwa (tutar ICMP Fragmentation Needed Tuta) ko turawa ( Tutar Redirect ICMP). Aika irin waɗannan fakitin yana canza yanayin cache a cikin tarin cibiyar sadarwa, wanda ke ba da damar tantancewa, dangane da martanin uwar garken, wanda tashar tashar UDP ke aiki kuma wacce ba ta da.
Halin Hari: Lokacin da mai warwarewar DNS yayi ƙoƙarin warware sunan yanki, yana aika tambayar UDP zuwa uwar garken DNS da ke bautar yankin. Yayin da mai warwarewa ke jiran amsa, mai kai hari zai iya hanzarta tantance lambar tashar tashar da aka yi amfani da ita don aika buƙatun da aika amsa ta karya zuwa gare ta, tana kwaikwayon sabar DNS ɗin da ke hidimar yankin ta amfani da adireshin IP. Mai warwarewar DNS zai adana bayanan da aka aika a cikin martanin karya kuma na ɗan lokaci zai dawo da adireshin IP wanda maharin ya musanya don duk sauran buƙatun DNS na sunan yankin.
source: budenet.ru