Kutshanje, ekuqaleni kwehlobo, bekukho iifowuni ezixhaphakileyo zokuba i-Exim ihlaziywe kuguqulelo lwe-4.92 ngenxa yokuba semngciphekweni kwe-CVE-2019-10149 (). Kwaye kutshanje kuye kwavela ukuba i-malware ye-Sustes ithathe isigqibo sokuthatha ithuba lobu buthathaka.
Ngoku bonke abo bahlaziyiweyo ngokukhawuleza banokuthi “bavuye” kwakhona: nge-21 kaJulayi 2019, umphandi uZerons wafumanisa ukuba sesichengeni esibalulekileyo Exim Mail Transfer agent (MTA) xa usebenzisa iTLS kwiinguqulelo ezivela 4.80 kwi4.92.1 equkayo, evumela ukude yenza ikhowudi enamalungelo akhethekileyo ().
Ukuba sesichengeni
Ubuthathaka bukhona xa usebenzisa zombini iilayibrari ze-GnuTLS kunye ne-OpenSSL xa kumiselwa uqhagamshelwano olukhuselekileyo lwe-TLS.
Ngokomphuhlisi uHeiko Schlittermann, ifayile yoqwalaselo kwi-Exim ayisebenzisi i-TLS ngokungagqibekanga, kodwa unikezelo oluninzi ludala izatifikethi eziyimfuneko ngexesha lofakelo kwaye luvule uxhulumaniso olukhuselekileyo. Kwakhona iinguqulelo ezintsha ze-Exim faka ukhetho tls_advertise_hosts=* kwaye uvelise izatifikethi eziyimfuneko.
ixhomekeke kuqwalaselo. Uninzi lwe-distros luyenza ngokuzenzekelayo, kodwa i-Exim idinga isatifikethi+isitshixo ukuze isebenze njengomncedisi we-TLS. Mhlawumbi iDistros yenza iSitifiketi ngexesha lokuseta. UPhumo olutsha lunokhetho lwe-tls_advertise_hosts olungagqibekanga ku-"*" kwaye zenzele isatifikethi esisayiniweyo, ukuba akukho nasinye esinikiweyo.
Umngcipheko ngokwawo ulele kwinkqubo engalunganga ye-SNI (Isalathisi segama leseva, iteknoloji eyaziswa ngo-2003 kwi-RFC 3546 kumthengi ukuba acele isatifikethi esichanekileyo segama lesizinda, ) ngexesha lokuxhawula isandla kwe-TLS. Umhlaseli ufuna nje ukuthumela i-SNI ephela nge-backslash ("") kunye nomlinganiswa ongekho (" ").
Abaphandi abasuka kwi-Qualys bafumene ibug kumsebenzi we-string_printing(tls_in.sni), oquka uqhwesha olungachanekanga lwe "". Ngenxa yoko, i-backslash ibhalwe ngokungaphephekiyo kwifayile yentloko ye-spool yoshicilelo. Le fayile emva koko ifundwe ngamalungelo akhethekileyo ngu spool_read_header () umsebenzi, okhokelela kwimfumba yokuphuphuma.
Kuyaphawuleka ukuba okwangoku, abaphuhlisi be-Exim benze i-PoC yobuthathaka ngokuphunyezwa komyalelo kwiseva esemngciphekweni ekude, kodwa ayikafumaneki esidlangalaleni. Ngenxa yokukhululeka kokuxhaphazwa kwebug, ngumcimbi nje wexesha, kwaye umfutshane kakhulu.
Uphononongo oluneenkcukacha ngakumbi nguQualys lunokufunyanwa .
Ukusebenzisa i-SNI kwi-TLS
Inani leeseva ezinokuthi zibe sesichengeni
Ngokwezibalo ezivela kumboneleli omkhulu wokubamba I-E-Soft Inc ukususela ngoSeptemba 1, kwiiseva eziqeshiweyo, inguqulo ye-4.92 isetyenziswe ngaphezu kwe-70% yemikhosi.
inguqulelo
Inani leeseva
percent
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Ezinye iinguqulelo
25568
5.04%
Iinkcukacha-manani zenkampani ye-E-Soft Inc
Ukuba usebenzisa injini yokukhangela , emva koko kwi-5,250,000 kwidathabheyisi yeseva:
- malunga ne-3,500,000 sebenzisa i-Exim 4.92 (malunga ne-1,380,000 usebenzisa i-SSL/TLS);
- phezu 74,000 usebenzisa 4.92.1 (malunga 25,000 usebenzisa SSL/TLS).
Ngoko ke, i-Exim eyaziwayo kwaye ifikeleleke kwiiseva ezinokuthi zibe sesichengeni malunga 1.5M.
Khangela abancedisi beExim eShodan
Защита
- Eyona ndlela ilula, kodwa ayikhuthazwanga, kukungasebenzisi i-TLS, okuya kubangela ukuba imiyalezo ye-imeyile idluliselwe ngokucacileyo.
- Ukunqanda ukusetyenziswa komngcipheko, kuya kuba ngcono kakhulu ukuhlaziya kuguqulelo .
- Ukuba akwenzeki ukuhlaziya okanye ukufaka uguqulelo olulahliweyo, ungacwangcisa i ACL kuqwalaselo Exim yokhetho. acl_smtp_mail ngale migaqo ilandelayo:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
umthombo: www.habr.com