ProHoster > Блог > wararka internetka > KeyTrap iyo dayacanka NSEC3 ee saameeya inta badan fulinta DNSSEC

KeyTrap iyo dayacanka NSEC3 ee saameeya inta badan fulinta DNSSEC

Laba dayacan ayaa lagu aqoonsaday fulinta kala duwan ee nidaamka DNSSEC, oo saameeya xaliyayaasha DNS BIND, PowerDNS, dnsmasq, Knot Resolver, iyo Unbound. Nuglaantaani waxay u oggolaaneysaa diidmada adeegga xallinta DNS ee fulisa ansaxinta DNSSEC iyagoo abuuraya culeys badan oo CPU ah, kaas oo farageliya hab-socodka su'aalaha kale. Si loo fuliyo weerarka, si fudud u soo dir su'aal ah DNSSEC-awood u leh DNS xallinta taas oo keeneysa codsiga aaga DNS ee gaarka ah ee server-ka weerarka.

Arrimaha la aqoonsaday:

  • CVE-2023-50387 (codename KeyTrap) - marka la gelayo aagagga DNS ee sida gaarka ah loo farsameeyay, waxay sababtaa diidmada adeegga sababtoo ah culeyska CPU ee muhiimka ah iyo ansaxinta DNSSEC oo dheer. Si loo fuliyo weerarka, aag domain leh oo leh habayn xaasidnimo ah waa in lagu martigeliyaa server-ka DNS-ka ee uu gacanta ku hayo weerarka ka dibna uu galo server DNS-ka soo noqnoqda, kaas oo weerarku uu dafiro adeegga.

    Dejinta xaasidnimada waxaa ka mid ah isticmaalka furayaasha is khilaafaya, diiwaanada RRSET, iyo saxiixyada dhijitaalka ah ee aagga. Isku dayga lagu xaqiijinayo adeegsiga furayaashan waxay keenaysaa hawlo dheer, hawlo kheyraad xoog leh oo gabi ahaanba culeyska saari kara CPU oo xannibi kara socodsiinta codsiyada kale (tusaale, weerar lagu qaaday BIND ayaa la sheegay inay hakisay socodsiinta codsiyada kale muddo 16 saacadood ah).

  • CVE-2023-50868 (codename NSEC3) waa diidmada dayacanka adeegga ay sabab u tahay xisaabinta sare ee xisaabinta marka la xisaabinayo xashiishyada NSEC3 (Next Secure v3) diiwaanada marka la farsameeyo jawaabaha DNSSEC ee sida gaarka ah loo farsameeyay. Habka weerarku waxa uu la mid yahay dayacanka koowaad, marka laga reebo in NSEC3 RRSET si gaar ah loo farsameeyay lagu abuuray server-ka DNS ee weerarka.

Waxaa la xusay in soo ifbaxa dayacanka kor ku xusan ay sabab u tahay qeexida ku jirta qeexitaanka DNSSEC ee awoodda server-ka DNS si uu u soo diro dhammaan furayaasha sirta ah ee la heli karo, halka xaliyayaashu ay tahay inay farsameeyaan furayaasha la helay ilaa jeeggu guulaysto ama dhammaan furayaasha la helay la xaqiijiyo.

Iyada oo ah tallaabooyin lagu joojinayo nuglaanta xallilayaasha, tirada ugu badan ee furayaasha DNSSEC ee ku lug leh geeddi-socodka dhisidda silsilad kalsooni iyo tirada ugu badan ee xisaabinta hash ee NSEC3 waa xaddidan yihiin, iyo dib-u-tijaabinta xaqiijinta RRSET kasta (isku-darka furayaasha iyo saxiixyada) iyo jawaab kasta waa xaddidan yihiin. server.

Nuglaanta waxaa lagu hagaajiyay cusbooneysiinta Unbound (1.19.1), PowerDNS Recursor (4.8.6, 4.9.3, 5.0.2), Knot Resolver (5.7.1), dnsmasq (2.90), iyo BIND (9.16.48, 9.18.24, iyo 9.19.21). Xaaladda hagaajinta nuglaanta ee qaybintan waxaa lagu qiimeyn karaa boggagan: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo, Slackware, NetBSD, FreeBSD.

Dhawr dayacan oo dheeraad ah ayaa lagu hagaajiyay BIND DNS server versions 9.16.48, 9.18.24, iyo 9.19.21:

  • CVE-2023-4408 - Falanqaynta farriimaha waaweyn ee DNS waxay keeni kartaa culeys sare oo CPU ah.
  • CVE-2023-5517 - Codsiga aag gadaal ah oo si gaar ah loo farsameeyay waxa laga yaabaa in ay keento shil sababtoo ah hubinta caddaynta. Arrintu waxay ku dhacdaa isku xidhka oo keliya "nxdomain-redirect" dejinta karti u leh.
  • CVE-2023-5679 - Xallinta soo noqnoqda ee martida loo yahay waxay sababi kartaa shil sababtoo ah hubinta caddaynta nidaamyada leh taageerada DNS64 iyo "serve-stale" karti u leh (dejinta, karti-cache-awood u leh iyo jawaab-celin-awood u leh).
  • CVE-2023-6516 - Weydiimaha soo noqnoqda ee sida gaarka ah loo farsameeyay waxay sababi karaan in habka xusuusta ka dhammaado.

Source: opennet.ru

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster