Posachedwapa, kumayambiriro kwa chilimwe, panali mafoni ambiri oti Exim isinthidwa kukhala 4.92 chifukwa cha chiopsezo cha CVE-2019-10149 (). Ndipo posachedwa zidapezeka kuti pulogalamu yaumbanda ya Sustes idasankha kutenga mwayi pachiwopsezo ichi.
Tsopano onse omwe adasinthidwa mwachangu "atha kusangalala"nso: pa Julayi 21, 2019, wofufuza Zerons adapeza chiwopsezo chachikulu Exim Mail Transfer agent (MTA) mukamagwiritsa ntchito TLS kwa Mabaibulo kuchokera 4.80 ku 4.92.1 kuphatikiza, kulola kutali perekani code yokhala ndi ufulu wapadera ().
Chiwopsezo
Kusatetezeka kulipo mukamagwiritsa ntchito malaibulale onse a GnuTLS ndi OpenSSL pokhazikitsa kulumikizana kotetezeka kwa TLS.
Malinga ndi wopanga mapulogalamu a Heiko Schlittermann, fayilo yosinthira mu Exim sigwiritsa ntchito TLS mwachisawawa, koma magawo ambiri amapanga ziphaso zofunikira pakukhazikitsa ndikupangitsa kulumikizana kotetezeka. Komanso mitundu yatsopano ya Exim yikani mwayiwo tls_advertise_hosts=* ndi kupanga satifiketi zofunika.
zimatengera kasinthidwe. Ma distros ambiri amawathandiza mwachisawawa, koma Exim imafunikira chinsinsi + kuti igwire ntchito ngati seva ya TLS. Mwina Distros amapanga Cert pakukhazikitsa. Ma Exim Atsopano ali ndi tls_advertise_hosts njira yosinthira kukhala "*" ndikupanga satifiketi yosainira, ngati palibe.
Chiwopsezo chokha chagona pakukonza kolakwika kwa SNI (Server Name Indication, ukadaulo womwe unayambitsidwa mu 2003 mu RFC 3546 kuti kasitomala afunse satifiketi yolondola ya dzina lachidziwitso, ) pakugwirana chanza ndi TLS. Wowukira amangofunika kutumiza SNI yomaliza ndi kubweza ("") ndi zilembo zopanda pake (" ").
Ofufuza ochokera ku Qualys apeza cholakwika mu ntchito ya string_printing(tls_in.sni), yomwe imaphatikizapo kuthawa molakwika kwa "". Zotsatira zake, backslash imalembedwa osapulumuka ku fayilo yamutu wa print spool. Fayiloyi imawerengedwa ndi ufulu wamwayi ndi spool_read_header() ntchito, yomwe imatsogolera pakusefukira.
Ndizofunikira kudziwa kuti pakadali pano, opanga Exim apanga PoC yachiwopsezo ndikuchita malamulo pa seva yomwe ili pachiwopsezo chakutali, koma sichinapezeke poyera. Chifukwa chosavuta kugwiritsa ntchito kachilomboka, ndi nkhani yanthawi, komanso yayifupi.
Kafukufuku watsatanetsatane wa Qualys atha kupezeka .
Kugwiritsa ntchito SNI mu TLS
Chiwerengero cha ma seva omwe angakhale pachiwopsezo
Malinga ndi ziwerengero kuchokera kwa wothandizira wamkulu wochititsa Malingaliro a kampani E-Soft Inc kuyambira Seputembara 1, pa maseva obwerekedwa, mtundu wa 4.92 umagwiritsidwa ntchito kuposa 70% ya makamu.
Version
Chiwerengero cha Seva
peresenti
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Mabaibulo ena
25568
5.04%
Malingaliro a kampani E-Soft Inc
Ngati mugwiritsa ntchito search engine , kenako mwa 5,250,000 mu database ya seva:
- pafupifupi 3,500,000 amagwiritsa ntchito Exim 4.92 (pafupifupi 1,380,000 pogwiritsa ntchito SSL/TLS);
- pa 74,000 pogwiritsa ntchito 4.92.1 (pafupifupi 25,000 pogwiritsa ntchito SSL/TLS).
Chifukwa chake, ma seva odziwika bwino a Exim omwe ali pachiwopsezo amawerengera pafupifupi 1.5M.
Sakani ma seva a Exim ku Shodan
Chitetezo
- Njira yosavuta, koma yosavomerezeka, ndikusagwiritsa ntchito TLS, zomwe zingapangitse kuti mauthenga a imelo atumizidwe momveka bwino.
- Kuti mupewe kugwiritsa ntchito chiwopsezocho, zingakhale bwino kusintha mtunduwo .
- Ngati sikutheka kusinthira kapena kukhazikitsa mtundu wokhazikika, mutha kukhazikitsa ACL mu kasinthidwe ka Exim kuti musankhe. acl_smtp_mail ndi malamulo awa:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
Source: www.habr.com