Wata ƙungiyar masu bincike daga Jami'ar California, Riverside ta buga sabon bambance-bambancen harin SAD DNS (CVE-2021-20322) wanda ke aiki duk da kariyar da aka ƙara a bara don toshe raunin CVE-2020-25705. Sabuwar hanyar gabaɗaya tayi kama da rashin lafiyar bara kuma ta bambanta kawai a cikin amfani da nau'in fakiti na ICMP na daban don duba tashoshin jiragen ruwa na UDP masu aiki. Harin da aka gabatar yana ba da damar sauya bayanan ƙagaggen bayanai a cikin cache uwar garken DNS, wanda za a iya amfani da shi don maye gurbin adireshin IP na wani yanki na sabani a cikin cache da kuma tura buƙatun zuwa yankin zuwa uwar garken maharin.
Hanyar da aka gabatar tana aiki ne kawai a cikin tarin hanyar sadarwa. Linux saboda haɗin kai da takamaiman abubuwan da ke tattare da aikin tsarin sarrafa fakitin ICMP a cikin Linux, wanda ke aiki a matsayin tushen zubar bayanai wanda ke sauƙaƙa tantance lambar tashar jiragen ruwa ta UDP da aka yi amfani da ita uwar garken don aika buƙatar waje. An karɓi canje-canje da ke toshe ɓullar bayanai a cikin kwaya. Linux A ƙarshen watan Agusta (an haɗa gyaran a cikin kernel 5.15 da sabuntawar kernel LTS na Satumba). Gyaran ya ƙunshi canzawa zuwa tsarin hashing na SipHash don caches na cibiyar sadarwa maimakon Jenkins Hash. Ana iya tantance matsayin gyara rauni a cikin rarrabawa akan waɗannan shafuka: Debian, RHEL, Fedora, SUSE, Ubuntu.
A cewar masu binciken da suka gano matsalar, kusan kashi 38% na masu warware matsaloli a kan hanyar sadarwa suna cikin hatsari, gami da shahararrun ayyukan DNS kamar OpenDNS da Quad9 (9.9.9.9). Dangane da manhajar uwar garken, ana iya aiwatar da harin ta amfani da Linux-fakitin uwar garken kamar BIND, Unbound, da dnsmasq. A kan sabar DNS suna aiki ta amfani da Windows da tsarin BSD, matsalar ba ta bayyana kanta ba. Hari mai nasara yana buƙatar yin amfani da IP na bogi, ma'ana ba dole ba ne ISP na maharin ya toshe fakiti masu adireshin IP na tushen bogi.
A matsayin tunatarwa, harin SAD DNS yana ƙetare kariyar da aka ƙara zuwa sabobin DNS don toshe hanyar guba ta cache na DNS da Dan Kaminsky ya gabatar a cikin 2008. Hanyar Kaminsky tana sarrafa ƙaramin girman filin ID na tambaya na DNS, wanda shine rago 16 kawai. Don zaɓar madaidaicin mai gano ma'amala na DNS wanda ya zama dole don ɓoye sunan mai watsa shiri, ya isa a aika buƙatun kusan 7000 kuma a kwaikwayi kusan amsoshi 140 na almara. Harin ya taso don aika fakiti masu yawa tare da ɗaure IP na almara kuma tare da masu gano ma'amala na DNS daban-daban zuwa mai warwarewar DNS. Don hana caching na martanin farko, kowane martani mai ban mamaki yana ƙunshe da sunan yanki da aka gyara (1.example.com, 2.example.com, 3.example.com, da sauransu).
Don kare kai daga wannan nau'in harin, masana'antun uwar garken DNS sun aiwatar da rarraba bazuwar lambobi na tashoshin sadarwa na tushen inda ake aika buƙatun ƙuduri, waɗanda suka biya diyya ga ƙarancin girman mai ganowa. Bayan aiwatar da kariyar don aika amsa ta gaskiya, ban da zaɓin mai gano 16-bit, ya zama dole a zaɓi ɗaya daga cikin tashar jiragen ruwa 64, wanda ya ƙara yawan zaɓin zaɓi zuwa 2 ^ 32.
Hanyar SAD DNS tana ba ku damar sauƙaƙe ƙayyadaddun ƙayyadaddun lambar tashar tashar yanar gizo da rage harin zuwa hanyar Kaminsky na gargajiya. Mai kai hari zai iya gano damar shiga tashoshin jiragen ruwa na UDP da ba a yi amfani da su ba ta hanyar cin gajiyar bayanan leken asiri game da ayyukan tashar jiragen ruwa lokacin sarrafa fakitin martani na ICMP. Hanyar tana ba mu damar rage yawan zaɓuɓɓukan bincike ta umarni 4 na girma - 2^16+2^16 maimakon 2^32 (131_072 maimakon 4_294_967_296). Zubar da bayanan da ke ba ku damar tantance tashoshin jiragen ruwa na UDP da sauri yana haifar da aibi a cikin lambar don sarrafa fakitin ICMP tare da buƙatun rarrabuwa (tutar ICMP Fragmentation Needed Tuta) ko turawa ( Tutar Redirect ICMP). Aika irin waɗannan fakitin yana canza yanayin cache a cikin tarin cibiyar sadarwa, wanda ke ba da damar tantancewa, dangane da martanin uwar garken, wanda tashar tashar UDP ke aiki kuma wacce ba ta da.
Yanayin Hari: Lokacin da mai warware DNS yayi ƙoƙarin warware sunan yanki, yana aika tambayar UDP zuwa uwar garken DNS wanda ke kula da yankin. Yayin da mai warware yana jiran amsa, mai hari zai iya tantance lambar tashar tushe da aka yi amfani da ita don aika tambayar da sauri kuma ya aika amsar jabu, yana kwaikwayon uwar garken DNS wanda ke kula da yankin ta amfani da ɓoyayyen ɓoye. Adireshin IPMai warware DNS zai adana bayanan da aka aika a cikin amsar da aka ƙirƙira kuma, na ɗan lokaci, zai mayar da adireshin IP ɗin da maharin ya maye gurbinsa zuwa duk wasu tambayoyin DNS na sunan yankin.
source: budenet.ru
