Izibuyekezo zokulungisa zishicilelwe kumagatsha azinzile weseva ye-BIND DNS 9.11.31 kanye no-9.16.15, kanye negatsha lokuhlola elingu-9.17.12, elisathuthukiswayo. Ukukhishwa okusha kukhuluma ngobungozi obuthathu, obunye bakho (CVE-2021-25216) obudala ukuchichima kwe-buffer. Kumasistimu we-32-bit, ubungozi bungasetshenziswa ukuze kusetshenziswe ikhodi yomhlaseli ukude ngokuthumela isicelo esiklanywe ngokukhethekile se-GSS-TSIG. Kumasistimu angu-64 inkinga ikhawulelwe ekuphahlazekeni kwenqubo eqanjiwe.
Inkinga ibonakala kuphela uma indlela ye-GSS-TSIG ivuliwe, yenziwe yasebenza kusetshenziswa i-tkey-gssapi-keytab kanye nezilungiselelo zokuqinisekisa ze-tkey-gssapi. I-GSS-TSIG ivaliwe ekucushweni okuzenzakalelayo futhi ngokuvamile isetshenziswa ezindaweni ezixubile lapho i-BIND ihlanganiswa nezilawuli zesizinda se-Active Directory, noma lapho ihlanganiswa ne-Samba.
Ukuba sengozini kubangelwa iphutha ekusetshenzisweni kwendlela ye-SPNEGO (Elula Nevikelekile ye-GSSAPI Negotiation Mechanism), esetshenziswa ku-GSSAPI ukuze kuxoxiswane ngezindlela zokuvikela ezisetshenziswa iklayenti neseva. I-GSSAPI isetshenziswa njengephrothokholi yezinga eliphezulu yokushintshisana kokhiye ovikelekile kusetshenziswa isandiso se-GSS-TSIG esisetshenziswa kunqubo yokuqinisekisa izibuyekezo zezoni ye-DNS enamandla.
Ngenxa yokuthi ubungozi obubalulekile ekusetshenzisweni okwakhelwe ngaphakathi kwe-SPNEGO kutholwe ngaphambilini, ukusetshenziswa kwale phrothokholi kususiwe kusisekelo sekhodi ye-BIND 9. Kubasebenzisi abadinga usekelo lwe-SPNEGO, kunconywa ukusebenzisa ukusetshenziswa kwangaphandle okunikezwa i-GSSAPI. umtapo wolwazi wesistimu (uhlinzekwe ku-MIT Kerberos nase-Heimdal Kerberos).
Abasebenzisi bezinguqulo ezindala ze-BIND, njengendlela yokusebenza yokuvimbela inkinga, bangakhubaza i-GSS-TSIG kuzilungiselelo (izinketho tkey-gssapi-keytab kanye ne-tkey-gssapi-credential) noma bakhe kabusha BIND ngaphandle kokusekelwa kwendlela ye-SPNEGO (inketho "- -khubaza-isc-spnego" kusikripthi "hlela"). Ungakwazi ukulandelela ukutholakala kwezibuyekezo ekusabalaliseni emakhasini alandelayo: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. Amaphakheji we-RHEL kanye ne-ALT Linux akhiwe ngaphandle kokusekelwa komdabu kwe-SPNEGO.
Ukwengeza, ubungozi obubili bulungisiwe kuzibuyekezo ze-BIND okukhulunywa ngazo:
- CVE-2021-25215 β inqubo eqanjwe igama iphahlazekile ngenkathi kusetshenzwa amarekhodi e-DNAME (ukuqondisa kabusha ukucubungula ingxenye yezizinda ezingaphansi), okuholele ekwengezweni kwezimpinda esigabeni se-ANSWER. Ukuxhaphaza ubungozi kumaseva e-DNS agunyaziwe kudinga ukwenza izinguquko ezindaweni ezicutshunguliwe ze-DNS, futhi kumaseva aphindayo, irekhodi eliyinkinga lingatholwa ngemva kokuxhumana neseva egunyaziwe.
- I-CVE-2021-25214 - Inqubo eqanjiwe iyaphahlazeka lapho icubungula isicelo se-IXFR esiklanywe ngokukhethekile (esisetshenziselwa ukudlulisa izinguquko ngokwazo ezindaweni ze-DNS phakathi kwamaseva e-DNS). Inkinga ithinta kuphela amasistimu avumele ukudluliswa kwendawo ye-DNS kusuka kuseva yomhlaseli (imvamisa ukudluliselwa kwendawo kusetshenziselwa ukuvumelanisa amaseva amakhulu nesigqila futhi ngokukhetha kuvunyelwe kumaseva athembekile). Njengendlela yokuphepha, ungakhubaza ukwesekwa kwe-IXFR usebenzisa ukulungiselelwa kokuthi βrequest-ixfr no;β.
Source: opennet.ru