ProHoster > Blog > litaba tsa inthanete > DNSpooq - likotsi tse ncha tse supileng ho dnsmasq

DNSpooq - likotsi tse ncha tse supileng ho dnsmasq

Litsebi tse tsoang lilaboratoring tsa lipatlisiso tsa JSOF li tlalehile bofokoli bo bocha ho DNS/DHCP server dnsmasq. Seva ea dnsmasq e tumme haholo 'me e sebelisoa ka ho sa feleng ho li-distributions tse ngata tsa Linux, hammoho le lisebelisoa tsa marang-rang tse tsoang Cisco, Ubiquiti le tse ling. Bofokoli ba Dnspooq bo kenyelletsa chefo ea cache ea DNS hammoho le ts'ebetso ea khoutu e hole. Bofokoli bo lokisitsoe ho dnsmasq 2.83.

Ka 2008, mofuputsi ea tsebahalang oa ts'ireletso Dan Kaminsky o ile a sibolla le ho pepesa phoso ea mantlha mochining oa DNS oa Marang-rang. Kaminsky o pakile hore bahlaseli ba ka senya liaterese tsa marang-rang mme ba utsoa data. Sena se se se tsejoa e le "Kaminsky Attack".

DNS e 'nile ea nkoa e le protocol e sa sireletsehang ka lilemo tse mashome, le hoja e lokela ho tiisa boemo bo itseng ba botšepehi. Ke ka lebaka lena e ntseng e tšeptjoa haholo. Ka nako e ts'oanang, ho ile ha etsoa mekhoa ea ho ntlafatsa ts'ireletso ea protocol ea pele ea DNS. Mekhoa ena e kenyelletsa HTTPS, HSTS, DNSSEC le matsapa a mang. Leha ho le joalo, leha mekhoa ena kaofela e se e le teng, bosholu ba DNS e ntse e le tlhaselo e kotsi ka 2021. Boholo ba Marang-rang bo ntse bo itšetlehile ka DNS ka tsela e tšoanang le ea 2008, 'me e ka hlaseloa ke mefuta e tšoanang ea litlhaselo.

Likotsi tsa chefo ea cache ea DNSpooq:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685. Bofokoli bona bo tšoana le litlhaselo tsa SAD DNS tse sa tsoa tlalehoa ke bafuputsi ba Univesithi ea California le Tsinghua University. SAD DNS le DNSpooq bofokoli le tsona li ka kopanngoa ho etsa hore litlhaselo li be bonolo le ho feta. Litlhaselo tse ling tse nang le liphello tse sa hlakang le tsona li tlalehiloe ke boiteko bo kopanetsoeng ba liunivesithi (Poison Over Trouble Forwarders, joalo-joalo).
Bofokoli bo sebetsa ka ho fokotsa entropy. Ka lebaka la ts'ebeliso ea hash e fokolang ho tsebahatsa likopo tsa DNS le ho ts'oana ka nepo ha kopo ea karabo, entropy e ka fokotsoa haholo mme ke li-bits tse 19 feela tse lokelang ho hakanyetsoa, ​​​​ho etsa hore chefo ea cache e khonehe. Tsela eo dnsmasq e sebetsanang le lirekoto tsa CNAME e e lumella ho senya letoto la lirekoto tsa CNAME le ho chefo ho fihlela ho lirekoto tse 9 tsa DNS ka nako.

Bofokoli ba Buffer overflow: CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. Bofokoli bohle ba 4 bo boletsoeng bo teng ka khoutu le ts'ebetsong ea DNSSEC mme bo hlaha feela ha ho hlahlojoa ka DNSSEC ho nolofalitsoe ho litlhophiso.

Source: linux.org.ru