Manheru emusi waKurume 10, sevhisi yeMail.ru yakatanga kugamuchira zvichemo kubva kuvashandisi nezvekusakwanisa kubatana neMail.ru IMAP/SMTP maseva kuburikidza nemapurogiramu eemail. Panguva imwecheteyo, zvimwe zvinongedzo hazvina kupfuura, uye zvimwe zvinoratidza kukanganisa kwechitupa. Iko kukanganisa kunokonzerwa ne "server" yekuburitsa yega-yakasaina TLS chitupa.
Mumazuva maviri, zvinopfuura zvichemo zve10 zvakauya kubva kune vashandisi pane akasiyana network uye neakasiyana maturusi, zvichiita kuti zvisaite kuti dambudziko raive mumambure emumwe mupi. Ongororo yakadzama yedambudziko yakaratidza kuti imap.mail.ru server (pamwe nemamwe maseva etsamba nemasevhisi) iri kutsiviwa padanho reDNS. Kupfuurirazve, nerubatsiro runoshanda rwevashandisi vedu, takaona kuti chikonzero chaive chisiri chekupinda mune cache yerouter yavo, iri zvakare yemuno DNS solver, uye mune dzakawanda (asi kwete ese) nyaya dzakazove MikroTik. mudziyo, wakakurumbira zvikuru mumakomputa madiki uye kubva kune vadiki vanopa Internet.
Dambudziko nderei
MunaGunyana 2019, vaongorori akati wandei kusagadzikana muMikroTik RouterOS (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, CVE-2019-3979), iyo yakabvumira DNS cache chepfu kurwisa, i.e. kugona kukanganisa marekodhi eDNS muiyo router's DNS cache, uye CVE-2019-3978 inobvumira anorwisa kuti asamirire mumwe munhu kubva mukati metiweki kuti akumbire yekupinda pane yake DNS server kuitira kuti apise iyo inogadzirisa cache, asi kuti atange akadaro. chikumbiro pachake kuburikidza nechiteshi 8291 (UDP neTCP). Kusagadzikana kwakagadziriswa neMikroTik mushanduro dzeRouterOS 6.45.7 (yakagadzikana) uye 6.44.6 (yenguva refu) muna Gumiguru 28, 2019, asi maererano ne Vazhinji vashandisi havasati vaisa zvigamba.
Zviripachena kuti dambudziko iri rave kushandiswa nesimba "kurarama".
Nei zvine ngozi
Anorwisa anogona kukanganisa rekodhi yeDNS yechero muenzi anowanikwa nemushandisi panetiweki yemukati, nekudaro achibata traffic kwairi. Kana ruzivo rwakadzama rwukafambiswa pasina encryption (semuenzaniso, pamusoro http:// pasina TLS) kana mushandisi akabvuma kutambira chitupa chemanyepo, anorwisa anogona kuwana data rese rinotumirwa kuburikidza neicho chinongedzo, senge login kana password. Nehurombo, maitiro anoratidza kuti kana mushandisi aine mukana wekugamuchira chitupa chemanyepo, anozotora mukana wacho.
Nei SMTP uye IMAP maseva, uye chii chakachengeta vashandisi
Sei vapambi vakayedza kubata SMTP/IMAP traffic yemaemail application, uye kwete webhu traffic, kunyangwe vazhinji vashandisi vachiwana tsamba yavo kuburikidza neHTTPS browser?
Haasi ese mapurogiramu eemail anoshanda kuburikidza neSMTP uye IMAP/POP3 anodzivirira mushandisi kubva mukukanganisa, achimudzivirira kubva kutumira login uye password kuburikidza isina kuchengetedzwa kana kukanganisa kubatana, kunyangwe zvinoenderana neyakajairwa. , yakagamuchirwa kumashure muna 2018 (uye yakashandiswa muMail.ru kare kare), inofanira kuchengetedza mushandisi kubva pakubatwa kwepassword kuburikidza nechero isina kuchengetedzwa. Uye zvakare, iyo OAuth protocol hainyanyi kushandiswa muemail vatengi (inotsigirwa neMail.ru mail maseva), uye pasina iyo, iyo login uye password inofambiswa muchikamu chega chega.
Mabhurawuza anogona kunge ari nani akadzivirirwa kubva kuMan-in-the-Middle kurwisa. Pane ese mail.ru akakosha domains, kuwedzera kune HTTPS, iyo HSTS (HTTP yakasimba yekutakura kuchengetedza) mutemo inogoneswa. Iine HSTS inogoneswa, browser yemazuva ano haipe mushandisi sarudzo iri nyore yekugamuchira chitupa chemanyepo, kunyangwe mushandisi achida. Pamusoro peHSTS, vashandisi vakaponeswa nenyaya yekuti kubva 2017, SMTP, IMAP uye POP3 maseva eMail.ru anorambidza kuendesa mapassword pane isina kuchengetedzwa, vashandisi vedu vese vakashandisa TLS kuwana kuburikidza neSMTP, POP3 uye IMAP, uye. saka login uye password inogona kubata chete kana mushandisi pachake akabvuma kugamuchira chitupa chakapotswa.
Kune vashandisi venhare, isu tinogara tichikurudzira kushandisa Mail.ru zvikumbiro kuti uwane tsamba, nekuti... kushanda netsamba mairi kwakachengeteka kupfuura mumabhurawuza kana akavakirwa-mukati maSMTP/IMAP vatengi.
Chii chinofanira kuitwa
Izvo zvinodikanwa kugadzirisa iyo MikroTik RouterOS firmware kune yakachengeteka vhezheni. Kana nekuda kwechimwe chikonzero izvi zvisingagoneke, zvinodikanwa kusefa traffic pachiteshi 8291 (tcp uye udp), izvi zvinokanganisa kushandiswa kwedambudziko, kunyangwe zvisingabvise mukana wekuita jekiseni muDNS cache. ISPs dzinofanirwa kusefa chiteshi ichi pane network yavo kuchengetedza vashandisi vemakambani.
Vese vashandisi vakagamuchira chitupa chakatsiviwa vanofanirwa kukurumidza kuchinja password ye email uye mamwe masevhisi akatambirwa chitupa ichi. Kune chikamu chedu, isu tichazivisa vashandisi vanowana tsamba kuburikidza nemidziyo isina njodzi.
PS Kune zvakare kukanganiswa kwakabatana kunotsanangurwa mune iyo post "".
Source: www.habr.com