Haufinyane tjena, mathoasong a lehlabula, ho bile le mehala e atileng ea hore Exim e nchafatsoe ho mofuta oa 4.92 ka lebaka la ts'oaetso ea CVE-2019-10149 (). 'Me haufinyane tjena ho ile ha fumaneha hore Sustes malware e nkile qeto ea ho nka monyetla ka tlokotsi ena.
Hona joale bohle ba nchafalitsoeng ka potlako ba ka "thaba" hape: ka la 21 Phupu 2019, mofuputsi Zerons o ile a sibolla tlokotsi e kholo ho Exim Mail Transfer agent (MTA) ha u sebelisa TLS bakeng sa liphetolelo ho tloha 4.80 ho isa ho 4.92.1 kenyeletso, ho dumella hole etsa khoutu e nang le litokelo tse khethehileng ().
Ho ba tlokotsing
Kotsi e teng ha u sebelisa lilaebrari tsa GnuTLS le OpenSSL ha u theha khokahano e sireletsehileng ea TLS.
Ho ea ka moqapi Heiko Schlittermann, faele ea tlhophiso ho Exim ha e sebelise TLS ka mokhoa o ikhethileng, empa liphaello tse ngata li theha litifikeiti tse hlokahalang nakong ea ho kenya le ho nolofalletsa khokahanyo e sireletsehileng. Hape le mefuta e mecha ea Exim kenya khetho tls_advertise_hosts=* le ho hlahisa litifikeiti tse hlokahalang.
ho itšetlehile ka tlhophiso. Li-distros tse ngata li e nolofalletsa ka boiketsetso, empa Exim e hloka senotlolo + sa ho sebetsa joalo ka seva ea TLS. Mohlomong Distros e theha Cert nakong ea ho seta. Li-Exims tse Ncha li na le khetho ea tls_advertise_hosts e khethang ho "*" le ho iketsetsa setifikeiti se saenneng, haeba se sa fanoe.
Kotsi ka boeona e holim'a ts'ebetso e fosahetseng ea SNI (Server Name Indication, theknoloji e hlahisitsoeng ka 2003 ho RFC 3546 hore moreki a kope setifikeiti se nepahetseng bakeng sa lebitso la domain, ) nakong ea ho ts'oarana ka letsoho TLS. Motho ea hlaselang o hloka feela ho romela SNI e qetellang ka ho khutlela morao ("") le litlhaku tse se nang thuso ("").
Bafuputsi ba Qualys ba sibollotse bothata tšebetsong ea string_printing(tls_in.sni), e kenyelletsang ho phonyoha ho fosahetseng ha "". Ka lebaka leo, backslash e ngotsoe e sa balehe ho faele ea hlooho ea khatiso ea spool. Faele ena e baloa ka litokelo tse khethehileng ke spool_read_header() ts'ebetso, e lebisang ho phallo ea qubu.
Ho bohlokoa ho hlokomela hore hajoale, bahlahisi ba Exim ba thehile PoC ea bofokoli ka ho phethahatsa litaelo ho seva se tlokotsing se hole, empa ha e so fumanehe phatlalatsa. Ka lebaka la boiketlo ba tšebeliso ea kokoanyana, ke taba ea nako feela, 'me e khuts'oane haholo.
Boithuto bo felletseng ba Qualys bo ka fumanoa .
Ho sebelisa SNI ho TLS
Palo ea li-server tse ka bang tlokotsing
Ho ea ka lipalo-palo tse tsoang ho mofani e moholo oa ho amohela E-Soft Inc ho tloha ka la 1 Loetse, ho li-server tse hiriloeng, mofuta oa 4.92 o sebelisoa ho feta 70% ea mabotho.
Version
Palo ea Li-server
liphesente tse
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Mefuta e meng
25568
5.04%
Lipalopalo tsa k'hamphani ea E-Soft Inc
Haeba u sebelisa mochine oa ho batla , ebe ho tsoa ho 5,250,000 ho database ea seva:
- ba ka bang 3,500,000 ba sebelisa Exim 4.92 (ba ka bang 1,380,000 ba sebelisa SSL/TLS);
- ba fetang 74,000 ba sebelisa 4.92.1 (ba ka bang 25,000 ba sebelisa SSL/TLS).
Ka hona, li-server tse tsebahalang le tse fumanehang tsa Exim tse ka bang tlokotsing palo mabapi le 1.5M.
Batla li-server tsa Exim ho Shodan
tšireletso ea
- Khetho e bonolo, empa e sa khothaletsoang, ke ho se sebelise TLS, e leng se tla fella ka hore melaetsa ea lengolo-tsoibila e fetisetsoe ka mokhoa o hlakileng.
- Ho qoba tšebeliso e mpe ea ts'oaetso, ho ka ba molemo ho ntlafatsa mofuta ona .
- Haeba ho ke ke ha khoneha ho apdeita kapa kenya patched version, o ka seta ACL ka Exim tlhophiso bakeng sa kgetho. acl_smtp_mail ka melao e latelang:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
Source: www.habr.com