Iyo yakakosha server-padivi chikumbiro chekunyepedzera (SSRF) kusagadzikana, yakaonekwa seCVE-2024-21893, ichangobva kushandiswa pamwero unotyisa muIvanti Batanidza Chengetedza uye Policy Chengetedza zvigadzirwa. Kusagadzikana uku kwasimudza kushushikana kukuru mukati mecybersecurity nharaunda nekuda kwekuedza kushandiswa kwevanhu vakawanda uye mukana wekuwana usina mvumo, kusanganisira kugadzwa kwegomba reverse.
Tsanangudzo yeCVE-2024-21893 Kushandiswa
Iko kushandiswa kwakanangana neCVE-2024-21893, kukanganisa kweSSRF mukati meSecurity Assertion Markup Mutauro (SAML) chikamu chezvigadzirwa zveIvanti. Kusagadzikana uku kunobvumira vanorwisa kuwana zviwanikwa pasina humbowo. Iyo Shadowserver Foundation yakashuma kuwedzera kwekuedza kwekushandisa zvisiri izvo kubva kune anopfuura zana nemakumi manomwe akasiyana eIP kero, ichisimbisa kuoma kwemamiriro ezvinhu.
Zvikuru, cybersecurity firm Rapid7 yakaburitsa humbowo-hwe-pfungwa (PoC) kubiridzira iyo inosanganisa CVE-2024-21893 neCVE-2024-21887, yakambodhindirwa jekiseni rekuraira kukanganisa. Musanganiswa uyu unofambisa kusatenderwa kure kure kodhi kuuraya, kuwedzera njodzi dzine chekuita nekusagadzikana.
Kushandisa Nzvimbo uye Njodzi
Mamiriro ezvinhu ari kuwedzera nekushandiswa kweakavhurika-sosi zvinhu mukati meIvanti VPN midziyo, sezvakasimbiswa nemuongorori wezvekuchengetedza Will Dormann. Iyo yakashandiswa SSRF kusagadzikana (CVE-2024-21893) inosanganiswa neyakavhurika-sosi Shibboleth XMLTooling raibhurari, iyo yakagadziriswa muna Chikumi 2023.
Vatambi vekutyisidzira vakakurumidza kuita mari pamamiriro ezvinhu, nemishumo kubva kuGoogle-muridzi weMandiant ichiburitsa kubirwa kweCVE-2023-46805 uye CVE-2024-21887. Izvi zvakashandiswa kuendesa akasiyana siyana ewebhu mashembu, anosanganisira BUSHWALK, CHAINLINE, FRAMESTING, uye LIGHTWIRE.
Global Exposure uye Mhinduro
Zvakawanikwa nePalo Alto Networks Unit 42 zvinoratidza nezve kufumurwa kwepasirese, paine zviuru makumi maviri nezvisere nemazana mana nemakumi manomwe neina zveIvanti Connect Secure and Policy Secure zvakaonekwa munyika zana nemakumi mana neshanu kubva musi wa28,474 Ndira 145, 26. .
Mukupindura kutyisidzira kuri kuwedzera, Ivanti akatora matanho ekugadzirisa kusasimba. Vakaburitsa faira rechipiri rekudzikisa uye vakatanga kugovera zvigamba zvepamutemo kubva muna Kukadzi 1, 2024. Masangano anokurudzirwa kuti vashandise zvigamba izvi nekukurumidza uye vatore matanho akasimba ekuchengetedza kudzikamisa njodzi dzinounzwa nekusagadzikana kwakadaro uye kushandiswa kwePoC.
Maitiro Akanakisisa Ekudzivirira
Kudzivirira hutachiona hwemangwana uye masisitimu akachengeteka, masangano anofanirwa kutora maitiro anotevera akanakisa:
- Shandisa Zvimedu Nekukurumidza: Gara uchivandudza uye shandisa zvigamba zvekuchengetedza zvinopihwa nevashambadzi vesoftware kugadzirisa kusazvibata kunozivikanwa.
- Kuenderera Kumberi: Ita kuenderera kwekutarisa kwezviitiko zvinofungirwa uye zvinogona kutyisidzira kuchengetedza mukati metiweki.
- Chengetedzo Yekuzivisa Dzidziso: Ita dzidziso yenguva dzose yekuzivisa kuchengetedza kune vashandi kuti vazive uye vataure zvinogona kutyisidzira.
- Network Segmentation: Shandisa network segmentation kudzikamisa kukanganisa kwezvinogona kutyora uye kupatsanura akakosha masisitimu.
- Shandisa Advanced Threat Intelligence: Wedzera hungwaru hwekutyisidzira kuti ugare uchiziva nezve kutyisidzira kuri kubuda uye kusasimba.
Nekuomerera kune aya akanakisa maitiro, masangano anogona kusimudzira cybersecurity maitiro uye kuderedza njodzi yekuwirwa nezviitiko zvinonangana nenjodzi dzakakosha seCVE-2024-21893 mu. Ivanta zvigadzirwa. Kusvinurira, matanho ekuchengetedza ekuchengetedza, uye mhinduro dzakakodzera panguva dzakakosha mune yanhasi iri kubuda yenjodzi.