Emzamweni wokuqinisa izivikelo zayo ze-cybersecurity, i-Cisco isanda kuthola futhi ngokushesha yabhekana nobungozi obuphezulu ngaphakathi kwesofthiwe yayo ye-Secure Client. Okubaluleke kakhulu kulokhu, okukhonjwe njenge-CVE-2024-20337, kubangela usongo olukhulu ngokuvumela ukufinyelela okungagunyaziwe kumaseshini we-VPN. Ngomphumela we-CVSS ongu-8.2, lobu bungozi busukela ekuhlaselweni komjovo we-carriage return line feed (CRLF), okwethula isango elingaba khona labalingisi abanonya lokukhohlisa izikhathi zabasebenzisi ngemiphumela emibi. Lesi sihloko sicubungula imininingwane yokuba sengozini, umthelela wabo ongaba khona, nezinyathelo ezithathwe yi-Cisco ukunciphisa ubungozi.
I-CVE-2024-20337 Imininingwane
Ukuba sengozini enhliziyweni yalolu songo lwe-inthanethi kuvumela abahlaseli berimothi ukuthi basebenzise ukuhlasela komjovo we-CRLF ngenxa yokuqinisekiswa okunganele kokokufaka okunikezwa umsebenzisi. Ngokuthumela izixhumanisi eziklanywe ngokukhethekile, abalingisi abasongelayo bangakhohlisa abasebenzisi ukuthi baqalise ukuxhaphaza bengazi ngesikhathi soxhumano lwe-VPN. Leli phutha linemithelela enzima, linikeza abahlaseli ikhono lokwenza ikhodi yeskripthi engafanele ngaphakathi kwezindawo zesiphequluli sezisulu kanye nokufinyelela olwazini olubucayi, okuhlanganisa amathokheni avumelekile oLimi Lwezimpawu Zokuvikela Lokuqinisekisa (i-SAML).
Ngamathokheni antshontshiwe, abahlaseli bangakwazi ukuqalisa amaseshini e-VPN yokufinyelela kude, bazenze abasebenzisi abagunyaziwe, okungenzeka bangene amanethiwekhi angaphakathi futhi bafake engozini idatha ebucayi. Lokhu kuba sengcupheni okubalulekile kwandisa ukufinyelela kwakho kuzo zonke izinkundla eziningi, kuthinta isofthiwe ye-Secure Client ku-Windows, Linux, ne-macOS.
Ibona ubunzima besimo, uCisco wathatha isinyathelo ngokushesha ukuze abhekane nokuba sengozini. Inkampani ikhiphe ama-patches kuzo zonke izinhlobo zesoftware ukuze inciphise ubungozi ngempumelelo. Izinguqulo zangaphambi kuka-4.10.04065 zithathwa njengezingenabungozi, kuyilapho ukukhishwa okulandelayo kuye kwaqiniswa ukuze kuqedwe iphutha elikhonjiwe.
Ngaphezu kwe-CVE-2024-20337, i-Cisco iphinde yaxazulula elinye iphutha elinzima kakhulu, i-CVE-2024-20338, elithinta iKlayenti Elivikelekile le-Linux. Ngomphumela we-CVSS ongu-7.3, lobu bungozi bungenza abahlaseli bendawo bakwazi ukuphakamisa amalungelo kumadivayisi onakalisiwe, kukhuphule ukukhathazeka okukhulu kwezokuphepha.
Ekuphenduleni lobu bungozi, i-Cisco ikhuthaza abasebenzisi ukuthi basebenzise ngokushesha amapeshi adingekayo nezibuyekezo ukuze bavikele amasistimu abo ekuxhashazweni okungase kube khona. Ukubaluleka kokuhlala uqaphile futhi umatasa lapho ubhekene nezinsongo zohleloxhumano ngesiqoqelalwazi azikwazi ukugcizelelwa.
Yize amagama athile okutholwa kohlelo olungayilungele ikhompuyutha ahlotshaniswa nalobu bungozi enganikezwanga, izinhlangano zelulekwa ukuthi zihlale zazisiwe mayelana nezinsongo ezivelayo futhi zisebenzise izinyathelo eziqinile zokuphepha ku-inthanethi ukuze zithole futhi zinqande ukuhlasela okungaba khona. Izinsongo ezifanayo zingase zisebenzise ubungozi kuma-software ahlukahlukene, kugcizelela isidingo sezinqubo zokuphepha eziphelele.
Imikhuba Engcono Kakhulu Yokuvimbela
Ukuze kuqiniswe ukuzivikela ku-cybersecurity futhi kuvinjwe izifo ezizayo, abasebenzisi bayelulekwa ukuthi basebenzise izinqubo ezihamba phambili ezilandelayo:
- Vuselela njalo isofthiwe ne-firmware: Qinisekisa ukuthi wonke amasistimu wokusebenza, izinhlelo zokusebenza, nesofthiwe yezokuvikela kusesikhathini samanje ukuze ukhiphe ubungozi futhi uthuthukise ukukhuthazela kwesistimu.
- Sebenzisa ukuhlukaniswa kwenethiwekhi: Hlukanisa amanethiwekhi abe amasegimenti ukuze ukhawulele umthelela wokuphulwa okungenzeka okungenzeka futhi uqukathe imisebenzi enonya.
- Fundisa abasebenzisi: Gxilisa isiko lokuqwashisa nge-cybersecurity phakathi kwabasebenzisi, ugcizelela ukubaluleka kokubona imizamo yobugebengu bokweba imininingwane ebucayi kanye nokuqapha ngezixhumanisi nokunamathiselwe.
- Gada ithrafikhi yenethiwekhi: Sebenzisa amathuluzi okuqapha enethiwekhi aqinile ukuze uthole futhi uphendule emisebenzini engajwayelekile noma esolisayo ngokushesha.
- Yenza ukuhlola okujwayelekile kokuvikela: Hlola ngezikhathi ezithile futhi uhlole izivumelwano zokuphepha, ukulungiselelwa, nezilawuli zokufinyelela ukuze uhlonze futhi ulungise ubungozi obungaba khona.
Isiphetho
Ukutholwa kanye nokuncishiswa ngokushesha kobungozi ngaphakathi kwesofthiwe ye-Cisco's Secure Client kugcizelela ukuguquguquka kwezinsongo ze-cyber. Njengoba izinhlangano ziqhubeka nokuzulazula endaweni yedijithali, ukugcina isimo sokusebenza, ukuhlala zaziswe ngezingozi ezivelayo, nokusebenzisa izindlela zokuphepha eziqinile kuyizici ezibalulekile zesu elibanzi lokuphepha ku-inthanethi. Impendulo ye-Cisco isebenza njengesikhumbuzo somzamo wokubambisana odingekayo ukuze kuvikelwe izinsongo ezivelayo nokuvikela ulwazi olubucayi ekufinyeleleni okungagunyaziwe.