Cusboonaysiinta saxda ah ayaa loo daabacay laamaha xasilloon ee BIND DNS server 9.11.31 iyo 9.16.15, iyo sidoo kale laanta tijaabada 9.17.12, taas oo ku jirta horumarka. Siidaynta cusubi waxay ka hadlaysaa saddex baylahda, oo mid ka mid ah (CVE-2021-25216) sababa qulqulka qulqulka. Nidaamyada 32-bit, nuglaanta waxaa looga faa'iidaysan karaa in meel fog laga fuliyo koodka weerarka iyadoo loo dirayo codsi GSS-TSIG si gaar ah loo farsameeyay. Nidaamyada 64 dhibaatadu waxay ku kooban tahay burburka habka la magacaabay.
Dhibaatadu waxay soo baxdaa kaliya marka habka GSS-TSIG la furo, la hawlgeliyo iyadoo la isticmaalayo tkey-gssapi-keytab iyo tkey-gssapi-credential settings. GSS-TSIG waa lagu naafo qaabka caadiga ah waxaana sida caadiga ah lagu isticmaalaa deegaan isku dhafan halkaas oo BIND lagu daro kontaroolayaasha Hagaha Active Directory, ama marka la isku daro Samba.
Nuglaanta waxaa sababa qaladka hirgelinta SPNEGO (Habka Wada-xaajoodka Fudud iyo Ilaalin GSSAPI), ee loo isticmaalo GSSAPI si looga xaajoodo hababka ilaalinta ee ay isticmaalaan macmiilka iyo server-ka. GSSAPI waxa loo istcimaalaa hab-maamuus heer sare ah oo la isku weydaarsado furaha sugan iyadoo la adeegsanayo fidinta GSS-TSIG ee loo isticmaalo habka xaqiijinta cusboonaysiinta aaga DNS firfircoon.
Sababtoo ah baylahda muhiimka ah ee hirgelinta SPNEGO ee la dhisay ayaa horay loo helay, hirgelinta nidaamkan ayaa laga saaray saldhigga koodhka BIND 9. Isticmaalayaasha u baahan taageerada SPNEGO, waxaa lagu talinayaa in la isticmaalo hirgelinta dibadda ee ay bixiso GSSAPI maktabadda nidaamka (oo lagu bixiyo MIT Kerberos iyo Heimdal Kerberos).
Isticmaalayaasha noocyadii hore ee BIND, si ay uga hortagaan dhibaatada, waxay curyaami karaan GSS-TSIG ee goobaha (ikhtiyaarada tkey-gssapi-keytab iyo tkey-gssapi-credential) ama dib u dhis BIND iyaga oo aan taageero u helin farsamada SPNEGO (doorasho "- -disable-isc-spnego" oo ku jira qoraalka "qaabaynta"). Waxaad la socon kartaa helitaanka cusboonaysiinta qaybinta boggaga soo socda: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. Xirmooyinka RHEL iyo ALT Linux waxaa la dhisay iyada oo aan la helin taageerada SPNEGO.
Intaa waxaa dheer, laba dayacan oo kale ayaa lagu hagaajiyay cusboonaysiinta BIND ee su'aasha ah:
- CVE-2021-25215 - habka magacaaban ayaa burburay markii la farsamaynayey diiwaanada DNAME (habaynta dib u habaynta qayb ka mid ah subdomains), taasoo keentay in lagu daro nuqul ka mid ah qaybta JAWAABTA. Ka faa'iidaysiga u nuglaanshaha server-yada DNS ee awoodda leh waxay u baahan tahay in isbeddel lagu sameeyo aagagga DNS ee la farsameeyay, iyo server-yada soo noqnoqda, rikoorka dhibaatada leh waxaa la heli karaa ka dib marka lala xiriiro serverka awoodda leh.
- CVE-2021-25214 - Habka magacaaban ayaa burbura marka la farsameynayo codsiga IXFR ee soo socda ee si gaar ah loo farsameeyey (oo loo isticmaalo in lagu wareejiyo isbeddelada aagagga DNS ee u dhexeeya server-yada DNS). Dhibaatadu waxay saamaysaa kaliya nidaamyada u oggolaaday in aagga DNS laga wareejiyo server-ka weerarka (badanaa wareejinta aagga waxaa loo adeegsadaa isku-dubarid sayid iyo adeegayaal addoon waxaana si xushmad leh loo oggol yahay oo keliya server-yada la aamini karo). Nabadgelyo ahaan, waxaad joojin kartaa taageerada IXFR addoo isticmaalaya dejinta "codsi-ixfr no;".
Source: opennet.ru