Mune imwe nguva ichangoburwa, iyo US Cybersecurity uye Infrastructure Security Agency (CISA) yakaratidza kusagadzikana kwakanyanya muRoundcube email software, yakasarudzwa seCVE-2023-43770. Kusagadzikana uku, kwakaiswa muchikamu seye cross-saiti scripting (XSS) chikanganiso chine CVSS mamakisi 6.1, yakashandiswa zvakanyanya musango. Ichi chinyorwa chichaongorora zvakadzama zveCVE-2023-43770, zvingangoitika, shanduro dzakakanganisika, uye matanho ekugadzirisa anokurudzirwa nevatungamiriri vecybersecurity.
Ruzivo rweCVE-2023-43770
CVE-2023-43770 inotarisana nekusabatwa zvisina kunaka kwe linkrefs mumameseji akajeka mukati me Roundcube Webmail chikuva. Chikanganiso ichi chinogadzira mukana ungangoita wekuramba uchiyambuka-saiti scripting (XSS) kurwiswa, zvichiunza njodzi huru yekuburitswa kweruzivo kuburikidza nehuipi hwekubatanidza mareferensi. Kunyangwe iwo chaiwo ruzivo rwekushandiswa asina kuburitswa, hukasha hweXSS kusasimba hunosimbisa kukurumidza kuita chiito nekukurumidza.
Kusagadzikana uku kunokanganisa shanduro dzeRoundcube isati yasvika 1.4.14, 1.5.x isati yasvika 1.5.4, uye 1.6.x isati yasvika 1.6.3. Vagadziri veRoundcube vakapindura nekukasira nekuburitsa vhezheni 1.6.3 munaGunyana 15, 2023, iyo inogadzirisa nekudzikisa kusagadzikana kwakaonekwa. Chikwereti chekuwanikwa uye kuzivisa kweCVE-2023-43770 chinoenda kuZscaler kuchengetedza muongorori Niraj Shivtarkar.
Migumisiro uye Vanogona Kutyisidzira Vatambi
Zviitiko zvakapfuura zvakaratidza kuti webhu-based email mutengi kusagadzikana kunogona kuve chombo chesarudzo kune vanotyisidzira vatambi. Mapoka anozivikanwa, akadai seAPT28 uye Winter Vivern, vakashandisa kusagadzikana kwakafanana munguva yakapfuura. Mhedzisiro inogona kuitika yeCVE-2023-43770 yekubiridzira inosanganisira kupinda kusingatenderwe, kuba data, uye zvinogona kukanganisa ruzivo rwakadzama. Iko kukurumidza kwevashandisi nemasangano kuita matanho ekuchengetedza hakugone kuwedzeredzwa.
Mhinduro uye Kuderedza
Zvichipindura kutyisidzira kwaonekwa, masangano eUS Federal Civilian Executive Branch (FCEB) akapa chirevo chekushandiswa kwezvigadziriso zvinopihwa nevatengesi panosvika Kurume 4, 2024. Rairo uyu une chinangwa chekusimudzira kuchengetedzwa kwetiweki nekudzivirira kubva kune zvinogona kutyisidzira cyber kubva iyo CVE-2023-43770 kusagadzikana.
Maitiro Akanakisisa Ekudzivirira
Kudzivirira kutapukirwa kweramangwana kunoda nzira inobatika kune cybersecurity. Funga nezveanotevera maitiro akanakisa:
- Chengetedza Software Yakagadziridzwa: Gara uchivandudza Roundcube uye imwe software kune ichangoburwa vhezheni kuti ubate kusasimba uye kuwedzera kuchengetedzeka.
- Shandisa Chengetedzo Patches: Isa zvigamba uye zvigadziriso zvinopihwa nevashambadzi vesoftware nekukasira kugadzirisa kusazvibata kwakaonekwa.
- Kudzidzisa Kwekuziva Kwemushandisi: Dzidzisa vashandisi kuti vazive uye vataure maemail anofungidzirwa kana zviitiko kuderedza njodzi yekuwirwa nezviitiko.
- Network Segmentation: Shandisa network segmentation kudzikamisa zvinogona kukanganisa kurwiswa kwakabudirira uye kuve nekupararira kwekutyisidzira.
mhedziso
Iko kushandiswa kweCVE-2023-43770 muRoundcube email software inosimbisa mamiriro ari kubuda ekutyisidzira uye kudiwa kweakasimba cybersecurity matanho. Vashandisi nemasangano vanofanirwa kuita nekukurumidza kuisa zvigamba zvekuchengetedza zvinodiwa, kugadzirisa software, uye kusimudzira ruzivo pakati pevashandisi kudzikisira njodzi yekuwira munjodzi yakadai. Iko kushanda pamwe chete kwevaongorori vekuchengetedza, vatengesi vesoftware, uye cybersecurity zviremera zvinoita basa rakakosha mukuchengetedza nharaunda dzedhijitari kubva pakubuda. cyber kutyisidzira.