Pachitukuko chaposachedwa, bungwe la US Cybersecurity and Infrastructure Security Agency (CISA) lapeza chiopsezo chachikulu mu pulogalamu ya imelo ya Roundcube, yotchedwa CVE-2023-43770. Chiwopsezo ichi, chomwe chili m'gulu la zolakwika za scripting (XSS) chokhala ndi CVSS 6.1, chagwiritsidwa ntchito kuthengo. Nkhaniyi ifotokoza zambiri za CVE-2023-43770, zotsatira zake, mitundu yomwe yakhudzidwa, ndi njira zokonzanso zomwe akuluakulu achitetezo achitetezo akulimbikitsa.
Zambiri za CVE-2023-43770
CVE-2023-43770 imayang'ana mozungulira kusagwiritsidwa ntchito molakwika kwa maulalo m'mawu omveka bwino mkati mwa Roundcube Webmail nsanja. Kulakwitsa kumeneku kumapangitsa kuti pakhale njira yovutikira mosalekeza pamasamba (XSS), kuyika chiwopsezo chachikulu chowululira zidziwitso pogwiritsa ntchito maulalo oyipa. Ngakhale tsatanetsatane wa kugwiriridwa sikunafotokozedwe, kuopsa kwa kusatetezeka kwa XSS kumatsimikizira kufunika kochitapo kanthu mwachangu.
Kusatetezeka kumakhudza mitundu ya Roundcube isanakwane 1.4.14, 1.5.x isanakwane 1.5.4, ndi 1.6.x isanakwane 1.6.3. Osamalira a Roundcube ayankha mwachangu ndikutulutsa mtundu 1.6.3 pa Seputembara 15, 2023, womwe umayang'ana ndikuchepetsa kusatetezeka komwe kwadziwika. Ngongole chifukwa chopezeka ndi malipoti a CVE-2023-43770 amapita kwa wofufuza zachitetezo ku Zscaler Niraj Shivtarkar.
Zotsatira ndi Ziwopsezo Zomwe Zingachitike
Zochitika zam'mbuyomu zawonetsa kuti kusatetezeka kwamakasitomala opezeka pa intaneti kumatha kukhala chida chosankha kwa omwe akuchita ziwopsezo. Magulu odziwika, monga APT28 ndi Winter Vivern, adagwiritsapo ntchito zovuta zomwezi m'mbuyomu. Zotsatira zomwe zingachitike chifukwa chakugwiritsa ntchito CVE-2023-43770 zikuphatikiza kulowa mosaloledwa, kuba deta, komanso kusokoneza chidziwitso chachinsinsi. Kufulumira kwa ogwiritsa ntchito ndi mabungwe kuti agwiritse ntchito njira zotetezera sikungapitirire.
Kuyankha ndi Kuchepetsa
Poyankha kuopseza komwe kwadziwika, mabungwe a US Federal Civilian Executive Branch (FCEB) apereka malangizo oti akhazikitse zosintha zomwe mavenda apereka pofika pa Marichi 4, 2024. kusatetezeka kwa CVE-2023-43770.
Njira Zabwino Kwambiri Zopewera
Kupewa matenda amtsogolo kumafuna njira yolimbikira pachitetezo cha cybersecurity. Ganizirani njira zabwino zotsatirazi:
- Sungani Mapulogalamu Osinthidwa: Sinthani pafupipafupi Roundcube ndi mapulogalamu ena kumitundu yaposachedwa kuti muchepetse zofooka ndikuwonjezera chitetezo.
- Kukhazikitsa Zigamba Zachitetezo: Ikani zigamba ndi zosintha zoperekedwa ndi ogulitsa mapulogalamu mwachangu kuti athane ndi zovuta zomwe zadziwika.
- Maphunziro Odziwitsa Ogwiritsa Ntchito: Phunzitsani ogwiritsa ntchito kuzindikira ndi kunena maimelo kapena zochitika zokayikitsa kuti achepetse chiopsezo chokhala ndi ziwopsezo.
- Gawo la Network: Khazikitsani magawo a netiweki kuti muchepetse zovuta zomwe zingachitike pakuwukira bwino komanso kukhala ndi kufalikira kwa ziwopsezo.
Kutsiliza
Kugwiritsa ntchito kwa CVE-2023-43770 mu pulogalamu ya imelo ya Roundcube kumawunikira momwe ziwopsezo zikuyendera komanso kufunikira kwa njira zolimba zachitetezo cha pa intaneti. Ogwiritsa ntchito ndi mabungwe akuyenera kuchitapo kanthu mwachangu kuti agwiritse ntchito zigamba zotetezedwa, kusintha mapulogalamu, ndikudziwitsa anthu ogwiritsa ntchito kuti achepetse chiwopsezo chokhala pachiwopsezo chotere. Kugwira ntchito limodzi kwa ofufuza zachitetezo, ogulitsa mapulogalamu, ndi oyang'anira chitetezo cha pa intaneti amatenga gawo lofunikira pakuteteza chilengedwe cha digito kuti zisatuluke. kuwopseza pa cyber.