An buga sabuntawar gyara don tsayayyen rassan BIND DNS uwar garken 9.11.31 da 9.16.15, da kuma reshen gwaji na 9.17.12, wanda ke ci gaba. Sabbin abubuwan da aka saki suna magance lahani guda uku, ɗayansu (CVE-2021-25216) yana haifar da ambaliya. A kan tsarin 32-bit, ana iya amfani da rashin lafiyar don aiwatar da lambar maharin ta hanyar aika buƙatun GSS-TSIG na musamman. A kan tsarin 64 matsalar tana iyakance ga haɗarin tsarin mai suna.
Matsalar tana bayyana ne kawai lokacin da tsarin GSS-TSIG ya kunna, kunna ta amfani da saitunan tkey-gssapi-keytab da tkey-gssapi-credential settings. GSS-TSIG an kashe shi a cikin tsayayyen tsari kuma yawanci ana amfani dashi a gauraye mahalli inda aka haɗa BIND tare da masu kula da yanki na Active Directory, ko lokacin haɗawa da Samba.
Rashin lahani yana haifar da kuskure a aiwatar da tsarin SPNEGO (Sauƙaƙa da Kariyar GSSAPI Negotiation Mechanism), wanda aka yi amfani da shi a cikin GSSAPI don yin shawarwari da hanyoyin kariya da abokin ciniki da uwar garke ke amfani da su. Ana amfani da GSSAPI azaman ƙaƙƙarfan yarjejeniya don amintacciyar maɓalli ta amfani da tsawo na GSS-TSIG da aka yi amfani da shi wajen tabbatar da sabunta yankin DNS mai ƙarfi.
Saboda an sami rashin lahani mai mahimmanci a cikin ginanniyar aiwatar da SPNEGO a baya, an cire aiwatar da wannan yarjejeniya daga tushen lambar BIND 9. Ga masu amfani waɗanda ke buƙatar tallafin SPNEGO, ana ba da shawarar yin amfani da aiwatarwa na waje wanda GSSAPI ta bayar. tsarin ɗakin karatu (wanda aka bayar a cikin MIT Kerberos da Heimdal Kerberos).
Masu amfani da tsofaffin nau'ikan BIND, azaman hanyar magance matsalar, na iya kashe GSS-TSIG a cikin saitunan (zaɓuɓɓukan tkey-gssapi-keytab da tkey-gssapi-credential) ko sake gina BIND ba tare da goyan bayan tsarin SPNEGO ba (zaɓi "-) -disable-isc-spnego" a cikin rubutun "tsari"). Kuna iya bin diddigin samuwar sabuntawa a cikin rabawa akan shafuka masu zuwa: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. An gina fakitin RHEL da ALT Linux ba tare da tallafin SPNEGO na asali ba.
Bugu da ƙari, an gyara ƙarin lahani guda biyu a cikin sabuntawar BIND da ake tambaya:
- CVE-2021-25215 - tsarin mai suna ya fado yayin sarrafa bayanan DNAME (aiki na jujjuyawar wani yanki na yanki), yana haifar da ƙarin kwafi zuwa sashin AMSA. Yin amfani da rashin lahani akan sabar DNS masu iko yana buƙatar yin canje-canje ga yankunan DNS da aka sarrafa, kuma don sabar masu maimaitawa, ana iya samun rikodin matsala bayan tuntuɓar sabar mai iko.
- CVE-2021-25214 - Tsarin mai suna ya fashe lokacin aiwatar da buƙatar IXFR mai shigowa na musamman (an yi amfani da shi don canja wurin canje-canje a cikin yankuna na DNS tsakanin sabar DNS). Matsalar tana shafar tsarin kawai waɗanda suka ba da izinin canja wurin yankin DNS daga uwar garken maharin (yawanci ana amfani da canja wurin yanki don aiki tare da sabar uwar garken da bawa kuma ana zaɓin zaɓin don sabar amintattu kawai). A matsayin tsarin tsaro, zaku iya kashe tallafin IXFR ta amfani da saitin "request-ixfr no;".
source: budenet.ru