Kuphuhliso lwakutsha nje, i-Arhente yoKhuseleko lwe-Cybersecurity kunye ne-Infrastructure Security Agency (CISA) ichonge ubuthathaka obubalulekileyo kwisoftware ye-imeyile ye-Roundcube, echongwe njenge-CVE-2023-43770. Obu buthathaka, buhlelwe njenge-cross-site scripting (XSS) isiphene esinamanqaku e-CVSS ka-6.1, buye baxhatshazwa endle. Eli nqaku liza kuphonononga kwiinkcukacha ze-CVE-2023-43770, iziphumo zayo ezinokubakho, iinguqulelo ezichaphazelekayo, kunye namanyathelo okulungisa acetyiswa ngabasemagunyeni be-cybersecurity.
Iinkcukacha ze-CVE-2023-43770
Amaziko e-CVE-2023-43770 malunga nokuphathwa kakubi kwe-linkrefs kwimiyalezo ebhaliweyo ecacileyo ngaphakathi Iqonga leWebmail yeRoundcube. Esi siphene sidala indlela enokubakho yohlaselo oluqhubekayo lwe-cross-site scripting (XSS), ibeka umngcipheko omkhulu wokudizwa kolwazi ngeereferensi zekhonkco ezingalunganga. Nangona iinkcukacha ezithile zoxhatshazo zingachazwanga, ubuzaza bobuthathaka be-XSS bugxininisa ukungxamiseka kwenyathelo elikhawulezileyo.
Ukuba sesichengeni kuchaphazela iinguqulelo zeRoundcube ngaphambi kwe-1.4.14, 1.5.x ngaphambi kwe-1.5.4, kunye ne-1.6.x ngaphambi kwe-1.6.3. Abagcini beRoundcube baphendule ngokukhawuleza ngokukhupha inguqulelo 1.6.3 ngoSeptemba 15, 2023, elungisa kwaye ithobe ubuthathaka obuchongiweyo. Ikhredithi yokufunyanwa kunye nengxelo ye-CVE-2023-43770 iya kumphandi wezokhuseleko weZscaler uNiraj Shivtarkar.
Iziphumo kunye nabadlali abanokubakho baseMngciphekweni
Izehlo ezidlulileyo zibonise ukuba ubuthathaka bomthengi we-imeyile esekwe kwiwebhu bunokuba sisixhobo esikhethwa ngabadlali abagrogrisayo. Amaqela aqaphelekayo, afana ne-APT28 kunye ne-Winter Vivern, asebenzise ubuthathaka obufanayo kwixesha elidlulileyo. Iziphumo ezinokubakho zokuxhaphaza i-CVE-2023-43770 zibandakanya ukufikelela okungagunyaziswanga, ukubiwa kwedatha, kunye nokuchasana okunokwenzeka kolwazi olubuthathaka. Ukungxamiseka kwabasebenzisi kunye nemibutho ukuphumeza amanyathelo okhuseleko ayikwazi ukugqithiswa.
Impendulo kunye nokuNcitshiswa
Ukuphendula kwesoyikiso esichongiweyo, i-arhente ye-US Federal Civilian Executive Branch (FCEB) ikhuphe umyalelo wokuphunyezwa kokulungiswa okubonelelwe ngumthengisi ngoMatshi 4, 2024. Lo myalelo ujolise ekomelezeni ukhuseleko lwenethiwekhi kunye nokukhusela kwizoyikiso ezinokubakho ze-cyber ezivela ukuba sesichengeni kwe-CVE-2023-43770.
IiNdlela eziGqwesileyo zoThintelo
Ukuthintela usulelo oluzayo kufuna indlela esebenzayo yokhuseleko lwe-intanethi. Qwalasela ezi ndlela zilandelayo:
- Gcina iSoftware ihlaziyiwe: Hlaziya rhoqo i-Roundcube kunye nenye isoftware kwiinguqulelo zamva nje ukuze udibanise ubuthathaka kunye nokwandisa ukhuseleko.
- Sebenzisa iiPatches zoKhuseleko: Faka iipetshi kunye nohlaziyo olunikezelwe ngabathengisi besoftware ngokukhawuleza ukulungisa ubuthathaka obuchongiweyo.
- UQeqesho loLwazi loMsebenzisi: Qeqesha abasebenzisi ukuba baqaphele kwaye baxele ii-imeyile ezikrokrelayo okanye imisebenzi yokunciphisa umngcipheko wokuba lixhoba lokuxhaphaza.
- Ukwahlulahlula kweNethiwekhi: Sebenzisa ulwahlulo lwenethiwekhi ukunciphisa impembelelo enokubakho yohlaselo oluyimpumelelo kwaye iqulathe ukusasazeka kwezoyikiso.
isiphelo
Ukusetyenziswa kwe-CVE-2023-43770 kwisoftware ye-imeyile ye-Roundcube iqaqambisa imeko eguqukayo yesoyikiso kunye nesidingo samanyathelo okhuseleko oluluqilima. Abasebenzisi kunye nemibutho kufuneka basebenze ngokukhawuleza ukusebenzisa iipetshi zokhuseleko eziyimfuneko, ukuhlaziya isoftware, kunye nokwazisa phakathi kwabasebenzisi ukunciphisa umngcipheko wokuba lixhoba lobu buthathaka. Iinzame zentsebenziswano zabaphandi bokhuseleko, abathengisi besoftware, kunye nabasemagunyeni bokhuseleko lwe-cybersecurity badlala indima ebalulekileyo ekukhuseleni imeko yedijithali ngokuchasene nokuvela. izoyikiso ze-cyber.