Ngobusuku be-10 ka-Matshi, inkonzo yenkxaso ye-Mail.ru yaqala ukufumana izikhalazo kubasebenzisi malunga nokungakwazi ukuxhuma kwiiseva ze-Mail.ru IMAP/SMTP ngeenkqubo ze-imeyile. Kwangaxeshanye, olunye uqhagamshelo aluzange ludlule, kwaye olunye lubonisa impazamo yesatifikethi. Impazamo yenziwa kukuba "umncedisi" akhuphe isatifikethi se-TLS esizisayinileyo.
Kwiintsuku ezimbini, ngaphezu kwezikhalazo ze-10 zavela kubasebenzisi kwiinethiwekhi ezahlukeneyo kunye nezixhobo ezahlukeneyo, okwenza ukuba akunakwenzeka ukuba ingxaki yayikuthungelwano lwanoma yimuphi umnikezeli omnye. Uhlalutyo olunzulu lwengxaki lubonise ukuba iseva ye-imap.mail.ru (kunye nezinye iiseva zeposi kunye neenkonzo) iyatshintshwa kwinqanaba le-DNS. Ngaphaya koko, ngoncedo olusebenzayo lwabasebenzisi bethu, sifumanise ukuba isizathu ibikungeno olungalunganga kwi-cache ye-router yabo, ekwangumsombululi we-DNS yendawo, kwaye kwiimeko ezininzi (kodwa hayi zonke) ziye zaba yiMikroTik. isixhobo, sithandwa kakhulu kuthungelwano oluncinci lwamashishini kunye nababoneleli be-Intanethi abancinci.
Yintoni ingxaki
NgoSeptemba 2019, abaphandi ubuthathaka obuninzi kwiMikroTik RouterOS (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, CVE-2019-3979), eyavumela ukuhlaselwa kwe-DNS cache poisoning, okt. ukukwazi ukuphazamisa iirekhodi ze-DNS kwi-cache ye-DNS ye-router, kunye ne-CVE-2019-3978 ivumela umhlaseli ukuba angalindi umntu ovela kwinethiwekhi yangaphakathi ukuba acele ukungena kwi-server yakhe ye-DNS ukuze atyhefe i-cache yomxazululi, kodwa ukuqalisa okunjalo. wacela ngokwakhe ngezibuko 8291 (UDP kunye ne-TCP). Ubuthathaka bulungiswe nguMikroTik kwiinguqulelo ze-RouterOS 6.45.7 (ezinzile) kunye ne-6.44.6 (ixesha elide) ngo-Oktobha 28, 2019, kodwa ngokutsho Uninzi lwabasebenzisi abakafaki iipetshi okwangoku.
Kucacile ukuba le ngxaki ngoku isetyenziswa ngamandla "bukhoma".
Kutheni kuyingozi
Umhlaseli unokuyonakalisa irekhodi ye-DNS yayo nayiphi na inginginya efunyenwe ngumsebenzisi kwinethiwekhi yangaphakathi, ngaloo ndlela ethintela itrafikhi kuyo. Ukuba ulwazi olunovakalelo luhanjiswa ngaphandle koguqulelo oluntsonkothileyo (umzekelo, ngaphezulu kwe-http:// ngaphandle kwe-TLS) okanye umsebenzisi uyavuma ukwamkela isatifikethi esingeyonyani, umhlaseli unokufumana yonke idatha ethunyelwa ngoqhagamshelwano, njengegama lokungena okanye igama lokugqitha. Ngelishwa, ukuziqhelanisa kubonisa ukuba ukuba umsebenzisi unethuba lokwamkela isatifikethi sobuxoki, uya kusisebenzisa.
Kutheni i-SMTP kunye neeseva ze-IMAP, kwaye yintoni egcinwe abasebenzisi
Kutheni abahlaseli bezamile ukuthintela ukugcwala kwe-SMTP/IMAP yezicelo ze-imeyile, kwaye hayi itrafikhi yewebhu, nangona uninzi lwabasebenzisi befikelela kwi-imeyile yabo nge-HTTPS isikhangeli?
Ayizizo zonke iinkqubo ze-imeyile ezisebenza nge-SMTP kunye ne-IMAP/POP3 ezikhusela umsebenzisi kwiimposiso, zimthintela ekuthumeleni igama eliyimfihlo kunye negama lokugqitha ngoqhagamshelwano olungakhuselekanga okanye olusengozini, nangona ngokomgangatho , eyamkelwe emva kwi-2018 (kwaye iphunyezwe kwi-Mail.ru ngaphambili kakhulu), kufuneka ikhusele umsebenzisi ekuthinteleni iphasiwedi ngokusebenzisa naluphi na uxhumano olungakhuselekanga. Ukongeza, i-OAuth protocol ayifane isetyenziswe kubaxhasi be-imeyile (ixhaswa ngabancedisi beposi be-Mail.ru), kwaye ngaphandle kwayo, ukungena kunye negama lokugqitha zihanjiswa kwiseshoni nganye.
Abakhangeli banokuthi bakhuseleke ngcono kuhlaselo lweMan-in-the-Middle. Kuzo zonke iindawo ezibalulekileyo ze-mail.ru, ngaphezu kwe-HTTPS, umgaqo-nkqubo we-HSTS (ukhuseleko lwezothutho olungqongqo lwe-HTTP) luvuliwe. Nge-HSTS enikwe amandla, isikhangeli sanamhlanje asiniki umsebenzisi ukhetho olulula lokwamkela isatifikethi esingeyonyani, nokuba umsebenzisi uyafuna. Ukongeza kwi-HSTS, abasebenzisi basindiswe kukuba ukusukela ngo-2017, i-SMTP, i-IMAP kunye neeseva ze-POP3 ze-Mail.ru ziyakwalela ukuhanjiswa kwamagama ayimfihlo kunxibelelwano olungakhuselekanga, bonke abasebenzisi bethu basebenzise i-TLS ukufikelela nge-SMTP, iPOP3 kunye ne-IMAP, kwaye ngoko ke igama lokungena kunye negama lokugqitha linokuthintela kuphela ukuba umsebenzisi ngokwakhe uyavuma ukwamkela isatifikethi esonakele.
Kubasebenzisi beselula, sihlala sincoma ukusebenzisa izicelo ze-Mail.ru ukufikelela kwi-imeyile, kuba... ukusebenza ngeposi kuzo kukhuselekile kunakwibhrawuza okanye eyakhelwe-ngaphakathi abathengi be-SMTP/IMAP.
Yintoni ekufuneka uyenze
Kuyimfuneko ukuhlaziya i-firmware ye-MikroTik RouterOS kwinguqulo ekhuselekileyo. Ukuba ngenxa yesizathu esithile oku akunakwenzeka, kuyimfuneko ukucoca i-traffic kwi-port 8291 (tcp kunye ne-udp), oku kuya kuba nzima ukuxhaphazwa kwengxaki, nangona ayiyi kuphelisa ukuba nokwenzeka kwe-injection ye-passive kwi-cache ye-DNS. Ii-ISPs kufuneka zihluze eli zibuko kuthungelwano lwazo ukukhusela abasebenzisi bamashishini.
Bonke abasebenzisi abamkele isatifikethi esifakwe endaweni yaso kufuneka batshintshe ngokukhawuleza igama lokugqitha le-imeyile kunye nezinye iinkonzo esamkelwe ngazo esi satifikethi. Kwicala lethu, siya kwazisa abasebenzisi abafumana i-imeyile ngezixhobo ezisengozini.
P.S. Kukho kwakhona ubuthathaka obunxulumeneyo obuchazwe kwisithuba "".
umthombo: www.habr.com