Kusihlwa ngomhla ka-10 Mashi, isevisi yosekelo ye-Mail.ru yaqala ukuthola izikhalazo ezivela kubasebenzisi mayelana nokungakwazi ukuxhuma kumaseva e-Mail.ru IMAP/SMTP ngezinhlelo ze-imeyili. Ngesikhathi esifanayo, okunye ukuxhumeka akuzange kudlule, futhi okunye kubonisa iphutha lesitifiketi. Iphutha lidalwe "iseva" ngokukhipha isitifiketi se-TLS esizisayinele.
Ezinsukwini ezimbili, izikhalazo ezingaphezu kwe-10 zingenile kubasebenzisi kumanethiwekhi ahlukahlukene kanye namadivayisi ahlukahlukene, okwenza kungenzeki ukuthi inkinga ikunethiwekhi yanoma yimuphi umhlinzeki oyedwa. Ukuhlaziywa okuningiliziwe kwenkinga kwembula ukuthi iseva ye-imap.mail.ru (kanye namanye amaseva e-imeyili namasevisi) iyashintshwa ezingeni le-DNS. Ngaphezu kwalokho, ngosizo olusebenzayo lwabasebenzisi bethu, sithole ukuthi isizathu bekungukungena okungalungile kunqolobane yomzila wabo, okubuye kube isixazululi se-DNS sendawo, futhi okuthe ezimweni eziningi (kodwa hhayi zonke) kwaba yiMikroTik. idivayisi, edume kakhulu kumanethiwekhi ezinkampani ezincane kanye nabahlinzeki be-inthanethi abancane.
Yini inkinga
NgoSepthemba 2019, abacwaningi ukukhubazeka okuningana ku-MikroTik RouterOS (CVE-2019-3976, CVE-2019-3977, CVE-2019-3978, CVE-2019-3979), evumele ukuhlasela kwe-DNS cache poisoning, i.e. amandla okuphazamisa amarekhodi e-DNS kunqolobane ye-DNS yomzila, futhi i-CVE-2019-3978 ivumela umhlaseli ukuthi angalindi othile ovela kunethiwekhi yangaphakathi ukuthi acele okufakiwe kuseva yakhe ye-DNS ukuze afake ushevu kunqolobane yesixazululi, kodwa aqalise lokho. wacela ngokwakhe ngetheku 8291 (UDP kanye ne-TCP). Ukuba sengozini kwalungiswa yi-MikroTik ezinguqulweni ze-RouterOS 6.45.7 (ezinzile) kanye ne-6.44.6 (isikhathi eside) ngo-Okthoba 28, 2019, kodwa ngokuvumelana Abasebenzisi abaningi okwamanje abakawafaki amapeshi.
Kusobala ukuthi le nkinga manje isixhashazwa "bukhoma".
Kungani kuyingozi
Umhlaseli angakwazi ukuphazamisa irekhodi le-DNS lanoma yimuphi umsingathi ofinyelelwe umsebenzisi kunethiwekhi yangaphakathi, ngaleyo ndlela avimbe ithrafikhi eya kuyo. Uma ulwazi olubucayi ludluliselwa ngaphandle kokubethela (isibonelo, ku-http:// ngaphandle kwe-TLS) noma umsebenzisi evuma ukwamukela isitifiketi esingumgunyathi, umhlaseli angathola yonke idatha ethunyelwa ngoxhumo, njengokungena ngemvume noma iphasiwedi. Ngeshwa, umkhuba ubonisa ukuthi uma umsebenzisi enethuba lokwamukela isitifiketi esingelona iqiniso, uzolisebenzisa ngokunenzuzo.
Kungani amaseva e-SMTP ne-IMAP, nokuthi yini elondoloze abasebenzisi
Kungani abahlaseli bezame ukuvimba ithrafikhi ye-SMTP/IMAP yezinhlelo zokusebenza ze-imeyili, futhi hhayi ithrafikhi yewebhu, nakuba abasebenzisi abaningi befinyelela imeyili yabo ngesiphequluli se-HTTPS?
Akuzona zonke izinhlelo ze-imeyili ezisebenza nge-SMTP kanye ne-IMAP/POP3 ezivikela umsebenzisi emaphutheni, zimvimbela ekuthumeleni ukungena ngemvume nephasiwedi ngoxhumano olungavikelekile noma olusengozini, nakuba ngokuvumelana nesimiso. , eyamukelwa emuva ngo-2018 (futhi yasetshenziswa ku-Mail.ru ngaphambili kakhulu), kufanele ivikele umsebenzisi ekungeneni kwephasiwedi ngokusebenzisa noma yikuphi ukuxhumana okungavikelekile. Ngaphezu kwalokho, iphrothokholi ye-OAuth ayivamisile ukusetshenziswa kumaklayenti e-imeyili (isekelwa amaseva e-Mail.ru), futhi ngaphandle kwayo, ukungena ngemvume nephasiwedi kudluliselwa kuseshini ngayinye.
Iziphequluli zingavikeleka kangcono ekuhlaselweni kwe-Man-in-the-Middle. Kuzo zonke izizinda ezibucayi ze-mail.ru, ngaphezu kwe-HTTPS, inqubomgomo ye-HSTS (HTTP yokuphepha okuqinile kwezokuthutha) ivuliwe. Njengoba i-HSTS inikwe amandla, isiphequluli sesimanje asimniki umsebenzisi inketho elula yokwamukela isitifiketi somgunyathi, ngisho noma umsebenzisi efuna. Ngokungeziwe ku-HSTS, abasebenzisi basindiswa ukuthi kusukela ngo-2017, i-SMTP, i-IMAP ne-POP3 amaseva e-Mail.ru avimbela ukudluliswa kwamaphasiwedi ngoxhumano olungavikelekile, bonke abasebenzisi bethu basebenzise i-TLS ukufinyelela nge-SMTP, POP3 kanye ne-IMAP, futhi ngakho-ke ukungena ngemvume nephasiwedi kungavimba kuphela uma umsebenzisi ngokwakhe evuma ukwamukela isitifiketi esikhohlakele.
Kubasebenzisi beselula, sihlala sincoma ukusebenzisa izinhlelo zokusebenza ze-Mail.ru ukufinyelela i-imeyili, ngoba... ukusebenza ngemeyili kuzo kuphephe kakhudlwana kuneziphequluli noma amaklayenti akhelwe ngaphakathi e-SMTP/IMAP.
Yini okufanele yenziwe
Kuyadingeka ukuvuselela i-firmware ye-MikroTik RouterOS ibe inguqulo evikelekile. Uma ngesizathu esithile lokhu kungenakwenzeka, kuyadingeka ukuhlunga ithrafikhi ku-port 8291 (tcp ne-udp), lokhu kuzokwenza kube nzima ukuxhashazwa kwenkinga, nakuba kungeke kuqede ukuthi kungenzeka umjovo we-passive ku-cache ye-DNS. Ama-ISP kufanele ahlunge le mbobo kumanethiwekhi awo ukuze avikele abasebenzisi bezinkampani.
Bonke abasebenzisi abamukele isitifiketi esishintshiwe kufanele bashintshe ngokushesha iphasiwedi ye-imeyili namanye amasevisi okwamukelwe kuwo lesi sitifiketi. Ngakolunye uhlangothi, sizokwazisa abasebenzisi abafinyelela i-imeyili ngamadivayisi asengozini.
PS Kukhona futhi ukuba sengozini okuhlobene okuchazwe kokuthunyelwe "".
Source: www.habr.com