ProHoster > Блог > ozi ịntanetị > Na-emelite ihe nkesa BIND DNS iji dozie adịghị ike igbu koodu koodu

Na-emelite ihe nkesa BIND DNS iji dozie adịghị ike igbu koodu koodu

Ebipụtala mmelite mmezi maka ngalaba kwụsiri ike nke sava BIND DNS 9.11.31 na 9.16.15, yana ngalaba nnwale 9.17.12, nke na-emepe emepe. Mwepụta ọhụrụ a na-ekwu maka adịghị ike atọ, otu n'ime ha (CVE-2021-25216) na-ebute oke njupụta. Na sistemụ 32-bit, enwere ike iji adịghị ike ahụ mee ihe iji mebie koodu onye mwakpo site na izipu arịrịọ GSS-TSIG ahaziri ahazi. Na sistemụ 64, nsogbu ahụ bụ naanị n'ihe ọghọm nke usoro akpọrọ aha.

Nsogbu a na-apụta naanị mgbe agbanyere usoro GSS-TSIG, na-arụ ọrụ site na iji tkey-gssapi-keytab na tkey-gssapi-credential settings. GSS-TSIG nwere nkwarụ na nhazi ndabara ma a na-ejikarị ya na mpaghara agwakọta ebe BIND jikọtara ya na ndị na-ahụ maka ngalaba ndekọ aha, ma ọ bụ mgbe ị na-ejikọta ya na Samba.

A na-akpata adịghị ike ahụ site na njehie na mmejuputa usoro SPNEGO (Mfe na echebe GSSAPI Negotiation Mechanism), eji na GSSAPI iji kparịta usoro nchebe nke onye ahịa na ihe nkesa na-eji. A na-eji GSSAPI dị ka protocol dị elu maka mgbanwe igodo echedoro site na iji ndọtị GSS-TSIG ejiri na usoro nke ịchọpụta mmelite mpaghara DNS siri ike.

N'ihi na a chọpụtala na adịghị ike dị egwu na mmejuputa iwu nke SPNEGO na mbụ, e wepụwo mmejuputa iwu a na koodu BIND 9. Maka ndị ọrụ chọrọ nkwado SPNEGO, a na-atụ aro ka iji mmejuputa mpụga nke GSSAPI nyere. Ọbá akwụkwọ sistemụ (nke enyere na MIT Kerberos na Heimdal Kerberos).

Ndị na-eji ụdị BIND ochie, dị ka ihe eji egbochi nsogbu ahụ, nwere ike gbanyụọ GSS-TSIG na ntọala (nhọrọ tkey-gssapi-keytab na tkey-gssapi-credential) ma ọ bụ wughachi BIND na-enweghị nkwado maka usoro SPNEGO (nhọrọ "-) -disable-isc-spnego" n'edemede "hazi"). Ị nwere ike soro nwelite mmelite na nkesa na ibe ndị a: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. A na-ewu ngwugwu RHEL na ALT Linux na-enweghị nkwado SPNEGO.

Na mgbakwunye, edobere adịghị ike abụọ ọzọ na mmelite BIND a na-ajụ ajụjụ:

  • CVE-2021-25215 - usoro aha ya dara mgbe a na-ahazi ndekọ DNAME (nhazi redirect nke akụkụ nke subdomains), na-eduga na mgbakwunye nke oyiri na ngalaba Azịza. Na-erigbu adịghị ike na sava DNS nwere ikike chọrọ ime mgbanwe na mpaghara DNS ahaziri, yana maka sava na-emegharịghachi, enwere ike nweta ndekọ nsogbu ahụ mgbe ịkpọtụrụ onye nkesa nwere ikike.
  • CVE-2021-25214 - Usoro aha ya bụ mkpọka mgbe ị na-ahazi arịrịọ IXFR na-abata nke ọma (eji ya na-ebufe mgbanwe na mpaghara DNS n'etiti sava DNS). Nsogbu a na-emetụta naanị sistemụ ekwela ka mbufe mpaghara DNS site na sava onye mwakpo (a na-ejikarị mbufe mpaghara emekọrịta sava nna ukwu na ohu ma na-ahọrọ naanị maka sava ntụkwasị obi). Dịka nchekwa nchekwa, ị nwere ike gbanyụọ nkwado IXFR site na iji ntọala “request-ixfr no;”.

isi: opennet.ru

Tinye a comment