Bofokoli bo 'meli bo khethiloe ts'ebetsong e fapaneng ea protocol ea DNSSEC, e amang DNS resolutioners BIND, PowerDNS, dnsmasq, Knot Resolver, le Unbound. Bofokoli bona bo lumella ho haneloa ha litšebeletso tsa ba rarollang mathata a DNS ba etsang netefatso ea DNSSEC ka ho theha mojaro o phahameng oa CPU, o sitisang ho sebetsa ha lipotso tse ling. Ho etsa tlhaselo, romella feela potso ho DNSSEC e lumelletsoeng DNS resolution e fellang ka kopo sebakeng se entsoeng ka mokhoa o ikhethileng oa DNS ho seva sa mohlaseli.
Mathata a khetholloang:
- CVE-2023-50387 (codename KeyTrap) - ha o fihlella libaka tsa DNS tse entsoeng ka mokhoa o ikhethileng, e baka ho haneloa ha ts'ebeletso ka lebaka la boima ba CPU le netefatso e telele ea DNSSEC. Ho etsa tlhaselo, sebaka sa marang-rang se nang le litlhophiso tse mpe se tlameha ho ts'oaroa ho seva sa DNS se laoloang ke bahlaseli ebe se fihlella ka seva sa DNS se iphetang, eo mohlaseli a hanang ts'ebeletso.
Litlhophiso tse lonya li kenyelletsa ho sebelisa motsoako oa linotlolo tse hanyetsanang, lirekoto tsa RRSET, le mesaeno ea dijithale bakeng sa libaka. Ho leka ho netefatsa ho sebelisa linotlolo tsena ho fella ka ts'ebetso e telele, e matla ea lisebelisoa e ka imetsang CPU ka botlalo le ho thibela ts'ebetso ea likopo tse ling (mohlala, tlhaselo ea BIND ho tlalehoa e emisitse ts'ebetso ea likopo tse ling bakeng sa lihora tse 16).
- CVE-2023-50868 (codename NSEC3) ke ho hana ho ba kotsing ea ts'ebeletso ka lebaka la ts'ebetso e kholo ea computational ha ho baloa li-hashes ho lirekoto tsa NSEC3 (Next Secure v3) ha o sebetsana le likarabo tse entsoeng ka ho khetheha tsa DNSSEC. Mokhoa oa tlhaselo o ts'oana le ts'oaetso ea pele, ntle le hore rekoto e entsoeng ka ho khetheha ea NSEC3 RRSET e entsoe ho seva sa DNS sa mohlaseli.
Hoa hlokomeloa hore ho hlaha ha bofokoli bo boletsoeng ka holimo bo bakoa ke tlhaloso ho tlhaloso ea DNSSEC ea bokhoni ba seva sa DNS ho romela linotlolo tsohle tse teng tsa cryptographic, ha bahlaseli ba tlameha ho sebetsana le linotlolo leha e le life tse amoheloang ho fihlela cheke e atleha kapa linotlolo tsohle tse amoheloang li netefalitsoe.
Jwalo ka mehato ya ho thibela bofokodi ho ba rarollang, palo e hodimo ya dinotlolo tsa DNSSEC tse amehang tshebetsong ya ho aha ketane ya tshepo le palo e hodimo ya dipalo tsa hash bakeng sa NSEC3 di lekanyeditswe, mme diteko tse ding tsa netefatso bakeng sa RRSET ka nngwe (motswako wa dinotlolo le ditshaeno) le karabo ka nngwe di lekanyeditswe. seva.
Bofokodi bo lokisitsoe lintlafatsong tsa Unbound (1.19.1), PowerDNS Recursor (4.8.6, 4.9.3, 5.0.2), Knot Resolver (5.7.1), dnsmasq (2.90), le BIND (9.16.48, 9.18.24, le 9.19.21). Boemo ba litokiso tsa bofokodi kabong ena bo ka hlahlojoa maqepheng ana: Debian, Ubuntu, SUSE, RHEL, Fedora, Arch Linux, Gentoo, Slackware, NetBSD, FreeBSD.
Litšitiso tse ling tse 'maloa li lokisitsoe ho mefuta ea li-server tsa BIND DNS 9.16.48, 9.18.24, le 9.19.21:
- CVE-2023-4408 - Ho fetisa melaetsa e meholo ea DNS ho ka baka mojaro o phahameng oa CPU.
- CVE-2023-5517 - Kopo ea sebaka sa morao-rao se entsoeng ka mokhoa o khethehileng se ka baka kotsi ka lebaka la cheke ea boipiletso. Taba ena e etsahala feela ka litlhophiso tse nang le "nxdomain-redirect" tlhophiso e nolofalitsoeng.
- CVE-2023-5679 - Qeto ea moamoheli e iphetang e ka baka tšenyo ka lebaka la tlhahlobo ea boits'oaro e nang le ts'ehetso ea DNS64 le "serve-stale" e lumelletsoeng (litlhophiso, li-cache-enable le stale-adable-enable).
- CVE-2023-6516 - Lipotso tse phetoang ka mokhoa o ikhethileng li ka etsa hore ts'ebetso e felloe ke mohopolo.
Source: opennet.ru
