Magulu ofufuza a Forescout Research Labs ndi JSOF Research asindikiza zotsatira za kafukufuku wophatikizana wokhudzana ndi chitetezo cha machitidwe osiyanasiyana ophatikizira omwe amagwiritsidwa ntchito kunyamula mayina obwereza mu DNS, mDNS, DHCP, ndi mauthenga a IPv6 RA (kuyika magawo obwerezabwereza mu mauthenga zomwe zili ndi mayina angapo). Pantchitoyi, zofooka za 9 zidadziwika, zomwe zimafupikitsidwa pansi pa dzina la code NAME: WRECK.
Nkhani zadziwika mu FreeBSD, komanso m'magawo ochezera a pa intaneti IPnet, Nucleus NET ndi NetX, zomwe zafala kwambiri mu VxWorks, Nucleus ndi ThreadX makina ogwiritsira ntchito nthawi yeniyeni omwe amagwiritsidwa ntchito pazida zodzipangira okha, kusungirako, zida zamankhwala, ma avionics, osindikiza. ndi ogula zamagetsi. Akuti pafupifupi zida 100 miliyoni zimakhudzidwa ndi kusatetezeka.
- Chiwopsezo cha FreeBSD (CVE-2020-7461) chinapangitsa kuti zitheke kukonza kachitidwe ka code yake potumiza paketi yopangidwa mwapadera ya DHCP kwa omwe akuwukira omwe ali pa netiweki ya komweko monga wozunzidwayo, kuwongolera komwe kumayendetsedwa ndi kasitomala wa DHCP yemwe ali pachiwopsezo. ku kusefukira kwa buffer. Vutoli lidachepetsedwa chifukwa njira ya dhclient momwe chiwopsezocho chinalipo chinali kuyendetsedwa ndi mwayi wokhazikitsanso malo akutali a Capsicum, omwe amafunikira kuzindikira chiwopsezo china kuti atuluke.
Chofunikira cha cholakwikacho ndikuwunika kolakwika kwa magawo, mu paketi yobwezeredwa ndi seva ya DHCP yokhala ndi DHCP njira 119, yomwe imakulolani kusamutsa mndandanda wa "kufufuza" kwa womasulira. Kuwerengera kolakwika kwa kukula kwa bafa komwe kumafunikira kuti agwirizane ndi mayina a madomeni osapakidwa kunapangitsa kuti zidziwitso zoyendetsedwa ndi owukira zilembedwe kupitilira bafa yomwe yaperekedwa. Mu FreeBSD, vutoli lidakonzedwanso mu Seputembala chaka chatha. Vutoli litha kugwiritsidwa ntchito ngati muli ndi mwayi wolumikizana ndi netiweki yakomweko.
- Chiwopsezo chapaintaneti ya IPnet yophatikizidwa yomwe imagwiritsidwa ntchito mu RTOS VxWorks imalola kuphedwa kwa ma code kumbali ya kasitomala wa DNS chifukwa chosagwira bwino mawu a DNS. Zotsatira zake, chiwopsezochi chidadziwika koyamba ndi Eksodo mu 2016, koma sichinakhazikitsidwe. Pempho latsopano ku Wind River silinayankhidwe ndipo zida za IPnet zimakhalabe pachiwopsezo.
- Zofooka zisanu ndi chimodzi zidadziwika mu Nucleus NET TCP / IP stack, mothandizidwa ndi Siemens, zomwe ziwiri zingayambitse kuphedwa kwa code kutali, ndipo zinayi zingayambitse kukana ntchito. Vuto loyamba lowopsa limakhudzana ndi cholakwika mukatsitsa mauthenga a DNS oponderezedwa, ndipo lachiwiri ndi lokhudzana ndi kusanja kolakwika kwa zilembo za mayina a domain. Mavuto onsewa amabweretsa kusefukira kwa buffer mukakonza mayankho opangidwa mwapadera a DNS.
Kuti agwiritse ntchito ziwopsezo, wowukirayo amangofunika kutumiza yankho lopangidwa mwapadera ku pempho lililonse lovomerezeka lomwe latumizidwa kuchokera ku chipangizo chomwe chili pachiwopsezo, mwachitsanzo, poyambitsa MTIM ndikusokoneza kuchuluka kwa magalimoto pakati pa seva ya DNS ndi wozunzidwayo. Ngati wowukirayo atha kugwiritsa ntchito netiweki yakomweko, ndiye kuti amatha kuyambitsa seva ya DNS yomwe imayesa kuwononga zida zovuta potumiza zopempha za mDNS munjira yowulutsira.
- Chiwopsezo cha NetX network stack (Azure RTOS NetX), yopangidwira ThreadX RTOS ndipo idatsegulidwa mu 2019 italandidwa ndi Microsoft, idangokhala kukana ntchito. Vutoli limadza chifukwa cha kulakwitsa pogawa mauthenga oponderezedwa a DNS pakukhazikitsa kothetsa.
Pa ma netiweki oyesedwa omwe palibe zowopsa zomwe zidapezeka zokhudzana ndi kukanikiza kwa data mobwerezabwereza mu mauthenga a DNS, ma projekiti otsatirawa adatchedwa: lwIP, Nut/Net, Zephyr, uC/TCP-IP, uC/TCP-IP, FreeRTOS+TCP , OpenThread ndi FNET. Komanso, ziwiri zoyamba (Nut/Net ndi lwIP) sizigwirizana ndi kukanikiza mu mauthenga a DNS nkomwe, pomwe enawo amagwiritsa ntchito ntchitoyi popanda zolakwika. Kuphatikiza apo, zimadziwika kuti m'mbuyomu ofufuza omwewo anali atazindikira kale zofooka zomwezo m'matumba a Treck, uIP ndi PicoTCP.
Source: opennet.ru