Ngati agwiritsidwa ntchito molakwika, zolakwika izi zitha kulola kuti oukirawo azitha kupeza zidziwitso zachinsinsi mosavomerezeka kapena kuyambitsa zovuta.
Zambiri zidadziwika posachedwa kuti mu manejala achinsinsi, KeePass, mpaka mtundu wa 2.53 (pokhazikika) amalola wowukira, yomwe ili ndi mwayi wolembera fayilo ya kasinthidwe ya XML, pezani mawu achinsinsi m'mawu osavuta powonjezera kutumiza kunja.
Kwa iwo omwe sadziwa KeePass, muyenera kudziwa izi uyu ndi woyang'anira mawu achinsinsi otchuka kwambiri zomwe zimakupatsani mwayi wowongolera mapasiwedi pogwiritsa ntchito database yosungidwa kwanuko, m'malo mwaomwe amakhala mumtambo, monga LastPass kapena Bitwarden.
Kuti muteteze nkhokwe zam'deralo, ogwiritsa ntchito amatha kuzibisa ndi mawu achinsinsi kuti pulogalamu yaumbanda kapena cybercriminal isangobera database ndikupeza mawu achinsinsi omwe asungidwa pamenepo.
Pazovuta za CVE-2023-24055
Chiwopsezo chodziwika ndi CVE-2023-24055, amalola munthu ndi mwayi wolembera ku dongosolo la chandamale sinthani fayilo ya KeePass XML ndikulowetsa pulogalamu yaumbanda choyambitsa chomwe chingatumize nkhokwe, kuphatikiza mayina onse olowera ndi mawu achinsinsi m'mawu osavuta.
Udindo wa ogulitsa ndikuti malo osungirako mawu achinsinsi sanapangidwe kuti akhale otetezeka kwa wowukira yemwe ali ndi mwayi wopeza PC yakomweko.
Nthawi ina chandamale chidzayamba KeePass ndikulowetsani mawu achinsinsi kuti mutsegule ndikusintha database, lamulo lotumiza kunja lidzayambika ndipo zomwe zili m'dawunilodi zidzasungidwa ku fayilo yomwe owukira amatha kutsitsa ku dongosolo lomwe likuyang'aniridwa.
Komabe, izi zimayambira kumbuyo popanda wosuta kudziwitsidwa kapena KeePass kufunsa kuti alowetse mawu achinsinsi monga chitsimikiziro musanatumize, kulola woukirayo kuti apeze mwakachetechete mawu achinsinsi osungidwa.
Pamene Magulu a CERT ochokera ku Netherlands ndi Belgium adaperekanso upangiri wachitetezo Ponena za CVE-2023-24055, gulu lachitukuko la KeePass akutsutsa kuti izi siziyenera kugawidwa ngati chiopsezo popeza owukira omwe ali ndi mwayi wolembera pazida zomwe akufuna azitha kupezanso zambiri munkhokwe ya KeePass kudzera m'njira zina.
Gulu la Belgium CERT likuwonetsa kuti agwiritse ntchito njira yochepetsera pogwiritsa ntchito mawonekedwe olimba, "popeza palibe chigamba. Izi zimapangidwira oyang'anira maukonde omwe akufuna kukakamiza zosintha zina kwa ogwiritsa ntchito kuti akhazikitse KeePass, koma atha kugwiritsidwanso ntchito ndi ogwiritsa ntchito kuti aumitse kasinthidwe kake KeePass. Komabe, kuumitsa uku kumamveka ngati wogwiritsa ntchito sangathe kusintha fayiloyi.
Ndipo ndi zimenezo KeePass yawonetsa kuti situlutsa zosintha zachitetezo kukonza kusatetezeka. Udindo wa wopanga mapulogalamuwa ndi wakuti pamene woukira wankhanza ali ndi mwayi wopita ku dongosolo la wozunzidwa, palibe njira yomveka yopewera kuba kwa deta yosungidwa.
Komabe, KeePass imapereka olamulira ya machitidwe Kutha kuteteza nkhanza pogwiritsa ntchito makonda ena:
- Kugwiritsa ntchito kasinthidwe kumachitika kudzera muzomwe zimatchedwa kukakamizidwa kasinthidwe fayilo
- Kukhazikitsa gawo la "ExportNoKey" kukhala "zabodza" kumatsimikizira kuti mawu achinsinsi amafunikira kutumiza deta yosungidwa.
- Izi zimalepheretsa munthu wanjinga kutumiza mwachinsinsi deta yachinsinsi.
Zochunira mu KeePass.config.enforced.xml fayilo yokakamiza imatsogola kuposa mafayilo adziko lonse ndi am'deralo. Zosankha zingapo zoumitsa kasinthidwe ka KeePass zalembedwa mu Keepass-Enhanced-Security-Configuration GitHub repository zomwe zalembedwa mugawo lolozera. Mwachitsanzo, ndizotheka kuletsa ntchito yoyambitsa (Xpath Settings/Application/System Activation).
Mabungwe angaganizirenso zosinthira ku manejala wina wachinsinsi yemwe amathandizira ma password a KeePass.
Pomaliza sNgati mukufuna kudziwa zambiri za izi, mutha kuwona zambiri mu kutsatira ulalo.
Ndemanga, siyani yanu
ndi kusatetezeka komweko kungakhale kwa keepassxc?