Iingcali ezivela kwiilebhu zophando ze-JSOF zichaze ubuthathaka obutsha obusixhenxe kwi-DNS/DHCP server dnsmasq. Iseva ye-dnsmasq ithandwa kakhulu kwaye isetyenziswa ngokungagqibekanga kunikezelo oluninzi lweLinux, kunye nakwizixhobo zenethiwekhi ezivela eCisco, Ubiquiti nabanye. Ubuthathaka be-Dnspooq bubandakanya ityhefu ye-DNS ye-cache kunye nokuphunyezwa kwekhowudi ekude. Ubuthathaka bulungisiwe kwi-dnsmasq 2.83.
Ngo-2008, umphandi wokhuseleko owaziwayo uDan Kaminsky wafumanisa kwaye wabhenca isiphene esisisiseko kwindlela ye-Intanethi ye-DNS. U-Kaminsky ubonise ukuba abahlaseli banako ukuphanga iidilesi zesizinda kwaye babe idatha. Oku kuye kwaziwa ngokuba yi "Kaminsky Attack".
I-DNS ithathwa njengeprothokholi engakhuselekanga amashumi eminyaka, nangona kufanele ukuba iqinisekise inqanaba elithile lengqibelelo. Kungenxa yesi sizathu ukuba isathenjelwe kakhulu. Ngelo xesha, iindlela zaphuhliswa ukuphucula ukhuseleko lweprotocol ye-DNS yokuqala. Ezi ndlela ziquka i-HTTPS, i-HSTS, i-DNSSEC kunye namanye amanyathelo. Nangona kunjalo, nangona zonke ezi ndlela zikhoyo, ukuqweqwedisa kwe-DNS kuseluhlaselo oluyingozi ngo-2021. Uninzi lwe-Intanethi lusaxhomekeke kwi-DNS ngendlela efanayo kwi-2008, kwaye ichaphazeleka kwiintlobo ezifanayo zohlaselo.
Ubuthathaka betyhefu ye-DNSpooq:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685. Obu bubuthathaka bufana nokuhlaselwa kwe-SAD DNS kutshanje kuxelwe ngabaphandi abavela kwiYunivesithi yaseCalifornia kunye neYunivesithi yaseTsinghua. I-SAD DNS kunye nobuthathaka be-DNSpooq nabo banokudityaniswa ukwenza uhlaselo lube lula. Uhlaselo olongezelelweyo oluneziphumo ezingacacanga lukwaxelwe ngemizamo edibeneyo yeeyunivesithi (iPoison Over Troubled Forwarders, njl.).
Ubuthathaka busebenza ngokunciphisa i-entropy. Ngenxa yokusetyenziswa kwe-hash ebuthathaka ukuchonga izicelo ze-DNS kunye nokuhambelana okuchanekileyo kwesicelo kwimpendulo, i-entropy inokunciphisa kakhulu kwaye kuphela ii-bits eziyi-19 kufuneka ziqikelelwe, okwenza i-cache poisoning inokwenzeka. Indlela i-dnsmasq iqhuba ngayo iirekhodi ze-CNAME ivumela ukuba ikhuphe ikhonkco leerekhodi ze-CNAME kwaye ityhefu ngokufanelekileyo ukuya kwiirekhodi ze-9 DNS ngexesha.
Ubuthathaka bokuphuphuma kwe-Buffer: CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. Zonke iingozi ezi-4 eziphawulweyo zikhona kwikhowudi kunye nokuphunyezwa kwe-DNSSEC kwaye zivela kuphela xa kuhlolwa nge-DNSSEC kunikwe amandla kwizicwangciso.
umthombo: linux.org.ru