Zosintha zowongolera zasindikizidwa ku nthambi zokhazikika za BIND DNS seva 9.11.31 ndi 9.16.15, komanso nthambi yoyesera 9.17.12, yomwe ikukula. Zotulutsa zatsopanozi zimayang'ana zovuta zitatu, zomwe (CVE-2021-25216) zimayambitsa kusefukira kwa buffer. Pamakina a 32-bit, chiwopsezocho chingagwiritsidwe ntchito kuti apereke nambala yachiwembu patali potumiza pempho lopangidwa mwapadera la GSS-TSIG. Pamakina 64 vuto limangokhala pakuwonongeka kwazomwe zatchulidwa.
Vuto limangowonekera pamene makina a GSS-TSIG atsegulidwa, atsegulidwa pogwiritsa ntchito tkey-gssapi-keytab ndi tkey-gssapi-credential settings. GSS-TSIG ndiyozimitsidwa pakusintha kosasintha ndipo nthawi zambiri imagwiritsidwa ntchito m'malo osakanikirana pomwe BIND imaphatikizidwa ndi Active Directory domain controller, kapena ikaphatikizidwa ndi Samba.
Chiwopsezochi chimayamba chifukwa cha cholakwika pakukhazikitsa njira ya SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism), yomwe imagwiritsidwa ntchito mu GSSAPI kukambirana njira zotetezera zomwe kasitomala ndi seva amagwiritsa ntchito. GSSAPI imagwiritsidwa ntchito ngati njira yapamwamba yosinthira makiyi otetezedwa pogwiritsa ntchito kuwonjezera kwa GSS-TSIG komwe kumagwiritsidwa ntchito potsimikizira zosintha za DNS zone.
Chifukwa zofooka zazikulu pakukhazikitsidwa komangidwa kwa SPNEGO zapezeka kale, kukhazikitsidwa kwa protocol iyi kwachotsedwa pa code BIND 9. Kwa ogwiritsa ntchito omwe amafunikira thandizo la SPNEGO, tikulimbikitsidwa kugwiritsa ntchito kukhazikitsidwa kwakunja komwe kumaperekedwa ndi GSSAPI. library library (yoperekedwa ku MIT Kerberos ndi Heimdal Kerberos).
Ogwiritsa ntchito mitundu yakale ya BIND, ngati njira yothetsera vutoli, amatha kuletsa GSS-TSIG pazosintha (zosankha tkey-gssapi-keytab ndi tkey-gssapi-credential) kapena kumanganso BIND popanda kuthandizidwa ndi makina a SPNEGO (njira "- -disable-isc-spnego" mu script "sintha"). Mutha kutsata kupezeka kwa zosintha pamagawidwe patsamba lotsatirali: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. Maphukusi a RHEL ndi ALT Linux amamangidwa popanda thandizo lachilengedwe la SPNEGO.
Kuphatikiza apo, ziwopsezo zina ziwiri zakhazikika pazosintha za BIND zomwe zikufunsidwa:
- CVE-2021-25215 - njira yomwe idatchulidwa idasokonekera pokonza ma rekodi a DNAME (kuwongoleranso gawo la magawo ang'onoang'ono), zomwe zidapangitsa kuwonjezera zobwereza ku gawo la ANSWER. Kugwiritsa ntchito chiwopsezo pa ma seva ovomerezeka a DNS kumafuna kusintha magawo a DNS okonzedwa, komanso ma seva obwereza, mbiri yamavuto imatha kupezeka mutalumikizana ndi seva yovomerezeka.
- CVE-2021-25214 - Njira yotchulidwayo imawonongeka pokonza pempho la IXFR lopangidwa mwapadera (lomwe limagwiritsidwa ntchito kusamutsa mochulukira zosintha za DNS pakati pa ma seva a DNS). Vutoli limakhudza machitidwe okhawo omwe alola kusamutsidwa kwa madera a DNS kuchokera pa seva ya wowukira (nthawi zambiri kusamutsa madera kumagwiritsidwa ntchito kulumikiza ma seva ambuye ndi akapolo ndipo amaloledwa mwa kusankha kwa ma seva odalirika). Monga njira yachitetezo, mutha kuletsa chithandizo cha IXFR pogwiritsa ntchito "pempho-ixfr no;".
Source: opennet.ru