Hadda dhammaan kuwa sida degdegga ah wax u cusboonaysiiyay mar labaad way "ku farxi karaan": Luulyo 21, 2019, cilmi-baare Zerons wuxuu ogaaday nuglaanshaha daran Wakiilka Wareejinta Exim Mail (MTA) markaad isticmaalayso TLS for versions ka 4.80 4.92.1 ilaa loo dhan yahay, oggolaanshaha fog ku fuli koodka xuquuqaha gaarka ah (CVE-2019-15846).
Nuglaanta
Nuglaanta ayaa jirta marka la isticmaalayo labada GnuTLS iyo OpenSSL maktabadaha marka la samaynayo xiriir aamin ah TLS.
Sida laga soo xigtay horumariye Heiko Schlittermann, faylka qaabeynta ee Exim uma isticmaalo TLS si caadi ah, laakiin qaybin badan ayaa abuurta shahaadooyinka lagama maarmaanka ah inta lagu jiro rakibidda waxayna awood u siineysaa xiriir sugan. Sidoo kale noocyada cusub ee Exim ayaa rakibaya ikhtiyaarka tls_xayaysiisay_martigeliyayaasha=* oo ay soo saaraan shahaadooyinka lagama maarmaanka ah.
waxay ku xiran tahay qaabeynta. Inta badan distros-ku si caadi ah ayey u suurta gelisaa, laakiin Exim wuxuu u baahan yahay shahaado+ fure si uu ugu shaqeeyo server-ka TLS. Malaha Distros wuxuu abuuraa Shahaado inta lagu jiro dejinta. Exims Newer waxay leeyihiin tls_advertise_hosts ikhtiyaarka u ah "*" oo samee shahaado iskiis u saxiixday, haddii aan midna la bixin.
Nuglaanta lafteedu waxay ku jirtaa habaynta khaldan ee SNI (Tilmaanta Magaca Adeegga, tignoolajiyada lagu soo bandhigay 2003 ee RFC 3546 ee macmiilka si uu u codsado shahaadada saxda ah ee magac domain, Qaybinta heerka TLS SNI / Kooxda WEBO Blog / Sudo Null IT News) inta lagu guda jiro gacan qaadka TLS. Weeraryahanku wuxuu kaliya u baahan yahay inuu soo diro SNI oo ku dhammaanaysa dib-u-dhac ("") iyo dabeecad aan jirin ("").
Cilmi-baarayaal ka socda Qualys waxay heleen cilad ku jirta shaqada string_printing(tls_in.sni), kaas oo ku lug leh baxsasho khaldan oo "". Natiijo ahaan, dib-u-celinta ayaa loo qoraa iyada oo aan laga baxsanayn faylka madaxa ee daabacaadda. Faylkan waxaa markaas lagu akhriyaa xuquuqaha mudnaanta leh ee shaqada spool_read_header(), taasoo u horseedda qulqul xad dhaaf ah.
Waxaa xusid mudan in xilligan, horumarinta Exim ay abuureen PoC ee dayacanka fulinta amarada server-ka nugul, laakiin wali si guud looma heli karo. Sababtoo ah fudaydka ka faa'iidaysiga cayayaanka, waa arrin waqti uun ah, oo aad u gaaban.
Daraasad faahfaahsan oo uu sameeyay Qualys ayaa laga heli karaa halkan.
Isticmaalka SNI gudaha TLS
Tirada adeegayaasha dadweynaha ee suurtagalka ah ee nugul
Marka loo eego tirakoobyada ka yimid bixiye weyn oo martigelinaya E-Soft Inc laga bilaabo Sebtembar 1, server-yada kirada ah, nooca 4.92 waxaa loo isticmaalaa in ka badan 70% martigeliyayaasha.
Version
Tirada Server-yada
boqolkiiba
4.92.1
6471
1.28%
4.92 376436 74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Noocyo kale
25568
5.04%
Warbixinta maaliyadeed ee ugu dambeysay ee dakhliga E-Soft Inc
Haddii aad isticmaasho mashiinka raadinta Shodan, ka dibna 5,250,000 ee kaydka serverka:
Haddii aysan suurtagal ahayn in la cusboonaysiiyo ama la rakibo nooc dhejisan, waxaad dejin kartaa ACL qaabaynta Exim ee ikhtiyaarka acl_smtp_mail oo leh xeerarka soo socda:
# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}