Madzulo a Marichi 10, ntchito yothandizira Mail.ru idayamba kulandira madandaulo kuchokera kwa ogwiritsa ntchito chifukwa cholephera kulumikizana ndi ma seva a Mail.ru IMAP/SMTP kudzera pamapulogalamu a imelo. Nthawi yomweyo, maulumikizidwe ena sanadutse, ndipo ena amawonetsa cholakwika cha satifiketi. Vutoli limadza chifukwa cha "seva" yotulutsa satifiketi ya TLS yodzilembera yokha.
M'masiku awiri, madandaulo opitilira 10 adabwera kuchokera kwa ogwiritsa ntchito pamaneti osiyanasiyana komanso ndi zida zosiyanasiyana, zomwe zimapangitsa kuti zikhale zosatheka kuti vutoli linali pa intaneti ya wopereka aliyense. Kusanthula mwatsatanetsatane kwavutoli kunawonetsa kuti seva ya imap.mail.ru (komanso ma seva ena amakalata ndi mautumiki) ikusinthidwa pamlingo wa DNS. Kupitilira apo, mothandizidwa ndi ogwiritsa ntchito athu, tapeza kuti chifukwa chake chinali cholowera molakwika mu cache ya rauta yawo, yomwe ilinso DNS resolutioner, ndipo nthawi zambiri (koma osati zonse) idakhala MikroTik. chipangizo, chodziwika kwambiri m'magulu ang'onoang'ono amakampani komanso kuchokera kwa opereka intaneti ang'onoang'ono.
Vuto ndi chiyani
Mu Seputembala 2019, ofufuza zofooka zingapo mu MikroTik RouterOS (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, CVE-2019-3979), zomwe zinalola DNS poyizoni kuwukira, i.e. Kutha kuwononga ma DNS ma CD mu cache ya DNS ya rauta, ndipo CVE-2019-3978 imalola wowukirayo kuti asadikire wina kuchokera pa netiweki yamkati kuti apemphe kulowa pa seva yake ya DNS kuti awononge posungira cache, koma kuyambitsa izi. adapempha yekha kudzera padoko 8291 (UDP ndi TCP). Chiwopsezocho chinakhazikitsidwa ndi MikroTik m'mitundu ya RouterOS 6.45.7 (yokhazikika) ndi 6.44.6 (ya nthawi yayitali) pa Okutobala 28, 2019, koma molingana ndi Ogwiritsa ntchito ambiri sanayikepo zigamba.
Zikuwonekeratu kuti vutoli tsopano likugwiritsiridwa ntchito mwakhama "live".
Chifukwa chiyani ndizowopsa
Wowukira atha kuwononga mbiri ya DNS ya wolandila aliyense yemwe wapezeka ndi intaneti yamkati, motero amalepheretsa kuchuluka kwa anthu. Ngati zidziwitso zachinsinsi zitumizidwa popanda kubisa (mwachitsanzo, pa http:// popanda TLS) kapena wogwiritsa ntchito avomera kulandira satifiketi yabodza, wowukirayo atha kupeza zonse zomwe zimatumizidwa kudzera pa intaneti, monga lolowera kapena mawu achinsinsi. Tsoka ilo, machitidwe akuwonetsa kuti ngati wogwiritsa ntchito ali ndi mwayi wolandila satifiketi yabodza, amapezerapo mwayi.
Chifukwa chiyani ma seva a SMTP ndi IMAP, ndi zomwe zidasunga ogwiritsa ntchito
Chifukwa chiyani owukirawo anayesa kutsekereza kuchuluka kwa ma SMTP/IMAP a maimelo, osati kuchuluka kwa intaneti, ngakhale ogwiritsa ntchito ambiri amalandila maimelo awo kudzera pa msakatuli wa HTTPS?
Sikuti mapulogalamu onse a imelo omwe akugwira ntchito kudzera pa SMTP ndi IMAP/POP3 amateteza wogwiritsa ntchito ku zolakwika, kumulepheretsa kutumiza malowedwe ndi mawu achinsinsi kudzera pa intaneti yosatetezedwa kapena yosokonekera, ngakhale molingana ndi muyezo. , yotengedwa mmbuyo mu 2018 (ndipo idakhazikitsidwa mu Mail.ru kale kwambiri), iyenera kuteteza wogwiritsa ntchito kuti asalowetse mawu achinsinsi kudzera pa intaneti yopanda chitetezo. Kuphatikiza apo, protocol ya OAuth sichimagwiritsidwa ntchito kawirikawiri kwa makasitomala a imelo (imathandizidwa ndi ma seva a Mail.ru), ndipo popanda izo, malowedwe ndi mawu achinsinsi amaperekedwa pagawo lililonse.
Osakatula atha kukhala otetezedwa pang'ono motsutsana ndi zida za Man-in-the-Middle. Pa madera onse ovuta a mail.ru, kuwonjezera pa HTTPS, ndondomeko ya HSTS (HTTP yotetezeka yoyendetsa galimoto) imayatsidwa. Ndi HSTS yoyatsidwa, msakatuli wamakono sapatsa wogwiritsa mwayi wosankha kuti avomereze satifiketi yabodza, ngakhale wogwiritsa ntchito atafuna. Kuphatikiza pa HSTS, ogwiritsa ntchito adapulumutsidwa chifukwa kuyambira 2017, ma seva a SMTP, IMAP ndi POP3 a Mail.ru amaletsa kusamutsa mapasiwedi pa intaneti yopanda chitetezo, ogwiritsa ntchito athu onse adagwiritsa ntchito TLS kuti apeze kudzera pa SMTP, POP3 ndi IMAP, ndi chifukwa chake kulowa ndi mawu achinsinsi amatha kuletsa pokhapokha ngati wogwiritsa ntchitoyo akuvomera kuvomereza satifiketi ya spoofed.
Kwa ogwiritsa ntchito mafoni, timalimbikitsa kugwiritsa ntchito Mail.ru kuti mupeze maimelo, chifukwa... kugwira ntchito ndi maimelo ndikotetezeka kuposa msakatuli kapena makasitomala omangidwa a SMTP/IMAP.
Zoyenera kuchita
Ndikofunikira kusinthira firmware ya MikroTik RouterOS kukhala mtundu wotetezeka. Ngati pazifukwa zina sizingatheke, ndikofunikira kusefa kuchuluka kwa magalimoto pa doko 8291 (tcp ndi udp), izi zidzasokoneza kugwiritsa ntchito vutoli, ngakhale sizingathetse mwayi wolowetsa jekeseni mu cache ya DNS. Ma ISPs akuyenera kusefa doko ili pamanetiweki awo kuti ateteze ogwiritsa ntchito makampani.
Ogwiritsa ntchito onse omwe adalandira satifiketi yolowa m'malo akuyenera kusintha mawu achinsinsi a imelo ndi ntchito zina zomwe satifiketi iyi idalandiridwa. Kumbali yathu, tidzadziwitsa ogwiritsa ntchito omwe amalandila maimelo kudzera pazida zomwe zili pachiwopsezo.
PS Palinso chiopsezo chofananira chomwe chikufotokozedwa mu positi "".
Source: www.habr.com