Munguva pfupi yapfuura, mukutanga kwezhizha, pakanga paine mafoni akapararira ekuti Exim ivandudzwe kune vhezheni 4.92 nekuda kweCVE-2019-10149 kusagadzikana () Uye nguva pfupi yadarika zvakazoitika kuti Sustes malware yakafunga kutora mukana wekusagadzikana uku.
Iye zvino vese avo vakagadziridza nekukurumidza vanogona "kufara" zvakare: munaChikunguru 21, 2019, muongorori Zerons akawana kusagadzikana kwakanyanya Exim Mail Transfer agent (MTA) paunenge uchishandisa TLS zveshanduro kubva 4.80 ku4.92.1 sanganisira, kubvumira kure shandisa kodhi ine kodzero dzakasarudzika ().
Kunetseka
Kusagadzikana kuripo kana uchishandisa ese maGnuTLS uye OpenSSL maraibhurari paunenge uchigadzira yakachengeteka TLS yekubatanidza.
Sekureva kwemugadziri Heiko Schlittermann, iyo faira yekumisikidza muExim haishandise TLS nekukasira, asi kugovera kwakawanda kunogadzira zvitupa zvinodikanwa panguva yekuisa uye kugonesa kubatana kwakachengeteka. Zvakare shanduro itsva dzeExim isa sarudzo tls_advertise_hosts=* uye kugadzira zvitupa zvinodiwa.
zvinoenderana nekugadzirisa. Mazhinji distros anogonesa nekukasira, asi Exim inoda chitupa + kiyi kuti ishande seTLS server. Pamwe Distros inogadzira Cert panguva yekuseta. Newer Exims ine tls_advertise_hosts sarudzo yekumisikidza ku "*" uye gadzira wega chitupa chakasaina, kana pasina chakapihwa.
Kusagadzikana pachako kuri mukugadzirisa zvisirizvo kweSNI (Server Name Indication, tekinoroji yakaunzwa muna 2003 muRFC 3546 kuti mutengi akumbire chitupa chaicho chezita rezita, ) panguva yekukwazisana neTLS. Anorwisa anongoda kutumira SNI inopera nebackslash ("") uye isina hunhu (" ").
Vanotsvaga kubva kuQualys vakawana tsikidzi mu string_printing(tls_in.sni) basa, rinosanganisira kupukunyuka kusiri kwe "". Nekuda kweizvozvo, iyo backslash inonyorwa isina kupukunyuka kune print spool musoro faira. Iri faira rinobva raverengwa nekodzero dzakasarudzika ne spool_read_header() basa, rinotungamira mukufashukira.
Izvo zvakakosha kucherechedza kuti parizvino, Vagadziri veExim vakagadzira PoC yekusagadzikana nekuita kwemirairo pane iri kure inotambura sevha, asi haisati yawanikwa pachena. Nekuda kwekureruka kwekushandiswa kwebug, ingori nyaya yenguva, uye ipfupi.
Imwe ongororo yakadzama neQualys inogona kuwanikwa .
Kushandisa SNI muTLS
Huwandu hwemasevha eruzhinji anogona kutambudzika
Maererano nehuwandu kubva kune hombe hosting provider E-Soft Inc kubva munaGunyana 1, pamaseva akarendwa, vhezheni 4.92 inoshandiswa mune inodarika 70% yevaenzi.
mhando
Nhamba Yemaseva
muzana
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Dzimwe shanduro
25568
5.04%
E-Soft Inc kambani nhamba
Kana ukashandisa injini yekutsvaga , zvino kubva pa5,250,000 mune server database:
- vanenge 3,500,000 vanoshandisa Exim 4.92 (vanenge 1,380,000 vachishandisa SSL/TLS);
- pamusoro pe74,000 vari kushandisa 4.92.1 (vanenge 25,000 vachishandisa SSL/TLS).
Nekudaro, inozivikanwa neruzhinji uye inowanikwa Exim ingangoita munjodzi maseva nhamba nezve 1.5M.
Tsvaga Exim maseva muShodan
kudzivirira
- Iyo yakapfava, asi isingakurudzirwe, sarudzo ndeyekusashandisa TLS, izvo zvinozoita kuti email meseji itumirwe pachena.
- Kuti udzivise kushandiswa kwekusagadzikana, zvingave zviri nani kugadzirisa kune iyo vhezheni .
- Kana zvisingakwanisi kugadzirisa kana kuisa shanduro yakavharwa, unogona kuseta ACL muExim configuration yesarudzo. acl_smtp_mail nemitemo inotevera:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
Source: www.habr.com