Muva nje, ekuqaleni kwehlobo, kube nezingcingo ezisabalele zokuthi i-Exim ibuyekezelwe enguqulweni engu-4.92 ngenxa yokuba sengozini kwe-CVE-2019-10149 (). Futhi muva nje kuvele ukuthi uhlelo olungayilungele ikhompuyutha lwe-Sustes lunqume ukusebenzisa leli thuba lokuba sengozini.
Manje bonke labo ababuyekeze ngokushesha βbangaphinde bajabuleβ: ngoJulayi 21, 2019, umcwaningi uZerons uthole ubungozi obubalulekile Exim Mail Transfer agent (MTA) uma usebenzisa i-TLS ngezinguqulo ezivela 4.80 kuya ku-4.92.1 okuhlanganisiwe, okuvumela isilawuli kude sebenzisa ikhodi enamalungelo akhethekile ().
Ukuba sengozini
Ubungozi bukhona uma usebenzisa kokubili imitapo yolwazi ye-GnuTLS kanye ne-OpenSSL lapho kusungulwa uxhumano oluvikelekile lwe-TLS.
Ngokusho kukanjiniyela u-Heiko Schlittermann, ifayela lokumisa ku-Exim alisebenzisi i-TLS ngokuzenzakalelayo, kodwa ukusabalalisa okuningi kudala izitifiketi ezidingekayo phakathi nokufakwa futhi kunika amandla ukuxhumeka okuvikelekile. Futhi izinguqulo ezintsha ze-Exim zifaka inketho tls_advertise_hosts=* futhi ukhiqize izitifiketi ezidingekayo.
kuncike ekucushweni. Ama-distros amaningi ayenza ngokuzenzakalelayo, kodwa i-Exim idinga ukhiye wesitifiketi+ ukuze isebenze njengeseva ye-TLS. Mhlawumbe i-Distros idala iSitifiketi ngesikhathi sokusetha. Ama-Exims amasha anenketho ethi tls_advertise_hosts eshintsha ngokuzenzakalelayo kuthi "*" futhi yakhe isitifiketi esizisayinise, uma singekho esinikeziwe.
Ukuba sengozini ngokwayo kusekucutshungulweni okungalungile kwe-SNI (Inkomba Yegama Leseva, ubuchwepheshe obethulwa ngo-2003 ku-RFC 3546 ukuze iklayenti licele isitifiketi esifanele segama lesizinda, ) ngesikhathi sokuxhawula i-TLS. Umhlaseli udinga nje ukuthumela i-SNI egcina ngokuhlehla ("") kanye nohlamvu olungenalutho (" ").
Abacwaningi abavela ku-Qualys bathole isiphazamisi kumsebenzi we-string_printing(tls_in.sni), obandakanya ukweqa okungalungile kokuthi ββ. Ngenxa yalokho, i-backslash ibhalwe ukuthi ingaphunyuki kufayela lesihloko se-print spool. Leli fayela libe selifundwa ngamalungelo akhethekile umsebenzi we-spool_read_header(), oholela ekuchichimeni kwenqwaba.
Kuyaqapheleka ukuthi okwamanje, abathuthukisi be-Exim benze i-PoC yobungozi ngokwenza imiyalo kuseva esengozini ekude, kodwa ayikatholakali esidlangalaleni. Ngenxa yokusebenziseka kalula kwesiphazamisi, kuyindaba yesikhathi, futhi kufushane kakhulu.
Ucwaningo olunemininingwane kaQualys lungatholakala .
Ukusebenzisa i-SNI ku-TLS
Inani lamaseva asesidlangalaleni okungenzeka abe sengozini
Ngokwezibalo ezivela kumhlinzeki omkhulu wokubamba Inkampani E-Soft Inc kusukela ngoSepthemba 1, kumaseva aqashiwe, inguqulo 4.92 isetshenziswa ngaphezu kuka-70% wabasingathi.
Inguqulo
Inombolo Yamaseva
Amaphesenti
4.92.1
6471
1.28%
4.92
376436
74.22%
4.91
58179
11.47%
4.9
5732
1.13%
4.89
10700
2.11%
4.87
14177
2.80%
4.84
9937
1.96%
Ezinye izinhlobo
25568
5.04%
Izibalo zenkampani ye-E-Soft Inc
Uma usebenzisa injini yokusesha , bese kuba ngu-5,250,000 kusizindalwazi seseva:
- cishe 3,500,000 sebenzisa Exim 4.92 (cishe 1,380,000 usebenzisa SSL/TLS);
- abangaphezu kuka-74,000 basebenzisa i-4.92.1 (cishe 25,000 usebenzisa i-SSL/TLS).
Ngakho, inombolo yamaseva e-Exim aziwa esidlangalaleni futhi afinyelelekayo angaba sengozini I-1.5M.
Sesha amaseva e-Exim e-Shodan
ΠΠ°ΡΠΈΡΠ°
- Inketho elula, kodwa enganconywa, ukungasebenzisi i-TLS, okuzoholela ekudlulisweni kwemilayezo ye-imeyili ngokucacile.
- Ukuze ugweme ukuxhashazwa kokuba sengozini, kungaba ngcono kakhulu ukuthuthukela enguqulweni .
- Uma kungenakwenzeka ukuvuselela noma ukufaka inguqulo enamathiselwe, ungasetha i-ACL ekucushweni kwe-Exim ngenketho acl_smtp_mail ngale mithetho elandelayo:
# to be prepended to your mail acl (the ACL referenced # by the acl_smtp_mail main config option) deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_sni}}}} deny condition = ${if eq{}{${substr{-1}{1}{$tls_in_peerdn}}}}
Source: www.habr.com