Kev kho tshiab tau tshaj tawm rau cov ceg ruaj khov ntawm BIND DNS server 9.11.31 thiab 9.16.15, nrog rau cov ceg sim 9.17.12, uas yog nyob rau hauv kev txhim kho. Qhov kev tshaj tawm tshiab hais txog peb qhov tsis zoo, ib qho ntawm (CVE-2021-25216) ua rau muaj qhov tsis txaus. Ntawm 32-ntsis tshuab, qhov tsis muaj peev xwm tuaj yeem raug siv los ua qhov chaw tawm tsam tus neeg tawm tsam los ntawm kev xa cov ntawv thov tshwj xeeb GSS-TSIG. Ntawm 64 systems qhov teeb meem yog txwv rau kev sib tsoo ntawm cov txheej txheem npe.
Qhov teeb meem tsuas yog tshwm sim thaum GSS-TSIG mechanism qhib, qhib siv tkey-gssapi-keytab thiab tkey-gssapi-credential nqis. GSS-TSIG yog neeg xiam nyob rau hauv lub neej ntawd configuration thiab feem ntau yog siv nyob rau hauv sib xyaw ib puag ncig uas BIND yog ua ke nrog Active Directory domain controllers, los yog thaum integrating nrog Samba.
Qhov tsis zoo yog tshwm sim los ntawm kev ua yuam kev hauv kev siv SPNEGO (Yooj Yim thiab Tiv Thaiv GSSAPI Negotiation Mechanism), siv hauv GSSAPI los sib tham txog cov txheej txheem tiv thaiv siv los ntawm cov neeg siv khoom thiab cov neeg rau zaub mov. GSSAPI yog siv los ua cov txheej txheem qib siab rau kev ruaj ntseg pauv hloov pauv siv GSS-TSIG txuas ntxiv siv rau hauv cov txheej txheem ntawm kev lees paub qhov hloov tshiab dynamic DNS zone.
Vim tias qhov tsis txaus ntseeg tseem ceeb hauv kev ua tiav ntawm SPNEGO tau pom yav dhau los, kev ua raws li txoj cai no tau raug tshem tawm los ntawm BIND 9 code puag. Rau cov neeg siv uas xav tau kev txhawb nqa SPNEGO, nws raug nquahu kom siv kev siv sab nraud los ntawm GSSAPI. lub tsev qiv ntawv (muab hauv MIT Kerberos thiab Heimdal Kerberos).
Cov neeg siv ntawm cov laus versions ntawm BIND, raws li ib tug workaround rau thaiv qhov teeb meem, muaj peev xwm lov tes taw GSS-TSIG nyob rau hauv cov chaw (options tkey-gssapi-keytab thiab tkey-gssapi-credential) los yog rov tsim BIND yam tsis muaj kev txhawb nqa rau SPNEGO mechanism (xaiv "- -disable-isc-spnego" hauv tsab ntawv "configure"). Koj tuaj yeem taug qab qhov muaj qhov hloov tshiab hauv kev faib tawm ntawm nplooj ntawv hauv qab no: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. RHEL thiab ALT Linux pob tau tsim tsis muaj haiv neeg SPNEGO kev txhawb nqa.
Tsis tas li ntawd, ob qhov tsis txaus ntseeg ntxiv tau kho nyob rau hauv BIND hloov tshiab hauv nqe lus nug:
- CVE-2021-25215 - cov txheej txheem muaj npe poob thaum ua tiav DNAME cov ntaub ntawv (redirect processing of part of subdomains), uas ua rau qhov sib ntxiv ntawm duplicates rau nqe lus teb. Kev siv qhov tsis zoo ntawm kev tso cai DNS servers yuav tsum tau hloov pauv rau thaj chaw DNS uas tau ua tiav, thiab rau cov servers rov ua dua, cov ntaub ntawv teeb meem tuaj yeem tau txais tom qab hu rau tus neeg rau zaub mov tso cai.
- CVE-2021-25214 - Cov txheej txheem muaj npe poob thaum ua cov khoom siv tshwj xeeb uas tau txais IXFR thov (siv los hloov pauv hloov pauv hauv DNS thaj tsam ntawm DNS servers). Qhov teeb meem cuam tshuam tsuas yog cov kab ke uas tau tso cai hloov chaw DNS los ntawm tus neeg tawm tsam tus neeg rau zaub mov (feem ntau yog kev hloov chaw hauv cheeb tsam yog siv los synchronize tus tswv thiab qhev servers thiab raug xaiv tsuas yog tso cai rau cov servers ntseeg tau). Raws li kev ruaj ntseg workaround, koj tuaj yeem lov tes taw IXFR kev txhawb nqa siv qhov "thov-ixfr no;" teeb tsa.
Tau qhov twg los: opennet.ru