Kutshanje, ekuqaleni kwehlobo, bekukho iifowuni ezixhaphakileyo zokuba i-Exim ihlaziywe kuguqulelo lwe-4.92 ngenxa yokuba semngciphekweni kwe-CVE-2019-10149 (
Ngoku bonke abo bahlaziyiweyo ngokukhawuleza banokuthi “bavuye” kwakhona: nge-21 kaJulayi 2019, umphandi uZerons wafumanisa ukuba sesichengeni esibalulekileyo Exim Mail Transfer agent (MTA) xa usebenzisa iTLS kwiinguqulelo ezivela 4.80 kwi4.92.1 equkayo, evumela ukude yenza ikhowudi enamalungelo akhethekileyo (
Ukuba sesichengeni
Ubuthathaka bukhona xa usebenzisa zombini iilayibrari ze-GnuTLS kunye ne-OpenSSL xa kumiselwa uqhagamshelwano olukhuselekileyo lwe-TLS.
Ngokomphuhlisi uHeiko Schlittermann, ifayile yoqwalaselo kwi-Exim ayisebenzisi i-TLS ngokungagqibekanga, kodwa unikezelo oluninzi ludala izatifikethi eziyimfuneko ngexesha lofakelo kwaye luvule uxhulumaniso olukhuselekileyo. Kwakhona iinguqulelo ezintsha ze-Exim faka ukhetho tls_advertise_hosts=* kwaye uvelise izatifikethi eziyimfuneko.
ixhomekeke kuqwalaselo. Uninzi lwe-distros luyenza ngokuzenzekelayo, kodwa i-Exim idinga isatifikethi+isitshixo ukuze isebenze njengomncedisi we-TLS. Mhlawumbi iDistros yenza iSitifiketi ngexesha lokuseta. UPhumo olutsha lunokhetho lwe-tls_advertise_hosts olungagqibekanga ku-"*" kwaye zenzele isatifikethi esisayiniweyo, ukuba akukho nasinye esinikiweyo.
Umngcipheko ngokwawo ulele kwinkqubo engalunganga ye-SNI (Isalathisi segama leseva, iteknoloji eyaziswa ngo-2003 kwi-RFC 3546 kumthengi ukuba acele isatifikethi esichanekileyo segama lesizinda,
Abaphandi abasuka kwi-Qualys bafumene ibug kumsebenzi we-string_printing(tls_in.sni), oquka uqhwesha olungachanekanga lwe "". Ngenxa yoko, i-backslash ibhalwe ngokungaphephekiyo kwifayile yentloko ye-spool yoshicilelo. Le fayile emva koko ifundwe ngamalungelo akhethekileyo ngu spool_read_header () umsebenzi, okhokelela kwimfumba yokuphuphuma.
Kuyaphawuleka ukuba okwangoku, abaphuhlisi be-Exim benze i-PoC yobuthathaka ngokuphunyezwa komyalelo kwiseva esemngciphekweni ekude, kodwa ayikafumaneki esidlangalaleni. Ngenxa yokukhululeka kokuxhaphazwa kwebug, ngumcimbi nje wexesha, kwaye umfutshane kakhulu.
Uphononongo oluneenkcukacha ngakumbi nguQualys lunokufunyanwa
Ukusebenzisa i-SNI kwi-TLS
Inani leeseva ezinokuthi zibe sesichengeni
Ngokwezibalo ezivela kumboneleli omkhulu wokubamba I-E-Soft Inc ukususela ngoSeptemba 1, kwiiseva eziqeshiweyo, inguqulo ye-4.92 isetyenziswe ngaphezu kwe-70% yemikhosi.
inguqulelo
Inani leeseva
percent
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Ezinye iinguqulelo
25568
5.04%
Iinkcukacha-manani zenkampani ye-E-Soft Inc
Ukuba usebenzisa injini yokukhangela
- malunga ne-3,500,000 sebenzisa i-Exim 4.92 (malunga ne-1,380,000 usebenzisa i-SSL/TLS);
- phezu 74,000 usebenzisa 4.92.1 (malunga 25,000 usebenzisa SSL/TLS).
Ngoko ke, i-Exim eyaziwayo kwaye ifikeleleke kwiiseva ezinokuthi zibe sesichengeni malunga 1.5M.
Khangela abancedisi beExim eShodan
Защита
- Eyona ndlela ilula, kodwa ayikhuthazwanga, kukungasebenzisi i-TLS, okuya kubangela ukuba imiyalezo ye-imeyile idluliselwe ngokucacileyo.
- Ukunqanda ukusetyenziswa komngcipheko, kuya kuba ngcono kakhulu ukuhlaziya kuguqulelo
Exim Imeyile ye-Intanethi 4.92.2 . - Ukuba akwenzeki ukuhlaziya okanye ukufaka uguqulelo olulahliweyo, ungacwangcisa i ACL kuqwalaselo Exim yokhetho. acl_smtp_mail ngale migaqo ilandelayo:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
umthombo: www.habr.com