Magadzirirwo ekugadzirisa akadhindwa kumatavi akagadzikana eiyo BIND DNS server 9.11.31 uye 9.16.15, pamwe nebazi rekuyedza 9.17.12, riri mukuvandudza. Izvo zvitsva zvinoburitswa zvinogadzirisa kusakwana kutatu, imwe yacho (CVE-2021-25216) inokonzeresa kufashukira. Pane 32-bit masisitimu, kusazvibata kunogona kushandiswa kuita kure kure kodhi yeanorwisa nekutumira yakanyatsogadzirwa GSS-TSIG chikumbiro. Pamasisitimu makumi matanhatu nemana dambudziko rinongogumira pakupunzika kweiyo yakanyorwa maitiro.
Dambudziko rinongoonekwa chete kana GSS-TSIG mashandiro akagoneswa, akabatidzwa uchishandisa tkey-gssapi-keytab uye tkey-gssapi-credential marongero. GSS-TSIG yakaremara mukumisikidzwa kwakare uye inowanzo shandiswa munzvimbo dzakasanganiswa uko BIND inosanganiswa neActive Directory domain controllers, kana pakubatanidza neSamba.
Kusagadzikana kunokonzerwa nekukanganisa mukuitwa kweSPNEGO (Simple and Protected GSSAPI Negotiation Mechanism), inoshandiswa muGSSAPI kutaurirana nzira dzekudzivirira dzinoshandiswa nemutengi uye server. GSSAPI inoshandiswa seyepamusoro-level protocol kune yakachengeteka kiyi yekutsinhana uchishandisa iyo GSS-TSIG yekuwedzera inoshandiswa mukuita kwechokwadi ine simba DNS zone updates.
Nokuti kukanganisa kwakanyanya mukugadzirwa kweSPNEGO kwave kwakawanikwa kare, kushandiswa kweprotocol iyi kwakabviswa kubva kuBIND code base 9. Kune vashandisi vanoda rubatsiro rweSPNEGO, zvinokurudzirwa kushandisa kushandiswa kwekunze kunopiwa neGSSAPI. system library (yakapihwa muMIT Kerberos uye Heimdal Kerberos).
Vashandisi veshanduro dzekare dzeBIND, sechishandiso chekuvharisa dambudziko, vanogona kudzima GSS-TSIG muzvirongwa (sarudzo tkey-gssapi-keytab uye tkey-gssapi-credential) kana kuvakazve BIND pasina tsigiro yemuchina weSPNEGO (sarudzo "- -disable-isc-spnego" mune script "gadzirisa"). Unogona kutarisa kuwanikwa kwezvigadziriso mukugovera pamapeji anotevera: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. RHEL uye ALT Linux mapakeji anovakwa pasina ekuzvarwa SPNEGO rutsigiro.
Pamusoro pezvo, humwe husimbe huviri hwakagadziriswa muBIND inogadziridza mubvunzo:
- CVE-2021-25215 - iyo yakadomwa maitiro yakapunzika pakugadzirisa marekodhi eDNAME (redirect process yechikamu che subdomain), zvichitungamira mukuwedzerwa kwezvakadzokororwa kuchikamu cheMHINDURO. Kushandisa kusavimbika pamaseva ane chiremera eDNS kunoda kuita shanduko kunzvimbo dzakagadziriswa dzeDNS, uye kune anodzokorodza maseva, rekodhi inetswa inogona kuwanikwa mushure mekusangana neane chiremera sevha.
- CVE-2021-25214 - Iyo yakatumidzwa hurongwa inoputsika kana ichigadzirisa yakanyatso gadzirwa inouya IXFR chikumbiro (inoshandiswa kuwedzera shanduko munzvimbo dzeDNS pakati pemaseva eDNS). Dambudziko rinobata chete masisitimu akabvumira DNS kuchinjisa nzvimbo kubva kune anorwisa server (kazhinji kuchinjisa nzvimbo kunoshandiswa kuwiriranisa tenzi nevaranda maseva uye zvinosarudzwa zvinotenderwa chete kune akavimbika maseva). Senzira yekuchengetedza, unogona kudzima rutsigiro rweIXFR uchishandisa "chikumbiro-ixfr kwete;" kuseta.
Source: opennet.ru