Bachonge ubuthathaka kwi-KeePass evumela ukubiwa kwegama eliyimfihlo

Ukonakala

Ukuba zixhatshaziwe, ezi ziphene zinokuvumela abahlaseli ukuba bafumane ukufikelela okungagunyaziswanga kulwazi olubuthathaka okanye ngokubanzi babangele iingxaki.

Ulwazi kutshanje luye lwaziwa ukuba kumphathi wephasiwedi, KeePass, ukuya kutsho kuguqulelo 2.53 (kufakelo olungagqibekanga) ivumela umhlaseli, enofikelelo lokubhala kwifayile yoqwalaselo ye-XML, fumana amagama agqithisiweyo kumbhalo ongenanto ngokongeza i-trigger yokuthumela ngaphandle.

Kwabo bangayazi i-KeePass, kuya kufuneka uyazi loo nto Lo ngumphathi wegama eligqithisiweyo odumileyo ovulelekileyo ekuvumela ukuba ulawule amagama agqithisiweyo usebenzisa idatabase egciniweyo, endaweni yesinye esibanjwe kwilifu, njenge LastPass okanye Bitwarden.

Ukukhusela ezi ndawo zogcino-lwazi, abasebenzisi banokuzibhala ngokuntsonkothileyo ngegama eliyimfihlo ukuze i-malware okanye i-cybercriminal ingakwazi nje ukweba i-database kwaye ifikelele ngokuzenzekelayo amagama ayimfihlo agcinwe apho.

Malunga nokuba sesichengeni kweCVE-2023-24055

Ubuthathaka obuchongwe yi-CVE-2023-24055, ivumela umntu ngokubhala ukufikelela kwisixokelelwano ekujoliswe kuso lungisa ifayile yoqwalaselo ye-KeePass XML kwaye utofe i-malware isiqalo esiza kuthumela ngaphandle isiseko sedatha, ukuquka onke amagama abasebenzisi kunye namagama agqithisiweyo kumbhalo ongenanto.

Isikhundla somthengisi kukuba i-database ye-password ayilungiselelwe ukuba ikhuseleke ngokuchasene nomhlaseli onalo mgangatho wofikelelo kwi-PC yendawo.

Kwixesha elizayo ekujoliswe kuko kuqala KeePass kwaye ngenisa igama eligqithisiweyo lokuvula kunye nokufihla isiseko sedatha, umthetho wokuthumela ngaphandle uya kuqhutywa kwaye imixholo yesiseko sedatha iya kugcinwa kwifayile apho abahlaseli banokuvuza kwinkqubo ephantsi kolawulo lwabo.

Nangona kunjalo, le nkqubo yokuthumela ngaphandle iqala ngasemva ngaphandle kokwaziswa komsebenzisi okanye iKeePass icela ukuba kufakwe igama lokugqithisa elingumalathindlela njengesiqinisekiso phambi kokuthumela ngaphandle, ukuvumela umhlaseli ukuba afikelele ngokuthe cwaka kuwo onke amagama agqithisiweyo agciniweyo.

Ngelixa iifayile ze Amaqela e-CERT avela eNetherlands naseBelgium akhuphe neengcebiso zokhuseleko Ngokumalunga ne-CVE-2023-24055, iqela lophuhliso lwe I-KeePass ixoxa ngelithi oku akufuneki kuchazwe njengobuthathaka kuba abahlaseli abanofikelelo olubhaliweyo kwisixhobo ekujoliswe kuso nabo banokufumana ulwazi kwisiseko sedatha seKeePass ngezinye iindlela.

Iqela laseBelgium le-CERT licebisa ukuba kuphunyezwe umlinganiselo wokuthomalalisa ngokwenziwa lukhuni koqwalaselo, “njengoko akukho patch iza kufumaneka. Eli nqaku lenzelwe ikakhulu abalawuli bothungelwano abafuna ukunyanzela useto oluthile kubasebenzisi kufakelo lweKeePass, kodwa lunokusetyenziswa ngabasebenzisi bokugqibela ukwenza lukhuni ubumbeko lweKeePass. Nangona kunjalo, oku kuqina kunengqiqo kuphela ukuba umsebenzisi wokugqibela akakwazi ukuyiguqula le fayile.

Kwaye oko I-KeePass ibonise ukuba ayizukukhulula uhlaziyo lokhuseleko ukulungisa ukuba sesichengeni. Isikhundla somphuhlisi kukuba xa umhlaseli okhohlakeleyo ekwazi ukufikelela kwinkqubo yexhoba, akukho ndlela ifanelekileyo yokuthintela ukubiwa kwedatha egciniweyo.

Nangona kunjalo, KeePass ibonelela ngabalawuli lweenkqubo ukukwazi ukuthintela ukusetyenziswa kakubi ngokusebenzisa imimiselo ethile:

  1. Ukusetyenziswa koqwalaselo lwenziwa ngento ebizwa ngokuba yifayile yoqwalaselo ngenkani
  2. Ukumisela i-parameter ye-"ExportNoKey" kwi-"false" iqinisekisa ukuba i-master password iyadingeka ukuthumela ngaphandle idatha egciniweyo.
  3. Oku kuthintela umntu okhohlakeleyo ekukhupheleni ngaphandle ngokufihlakeleyo idatha ebuthathaka.

Iisetingi kwi-KeePass.config.enforced.xml ifayile yoqwalaselo enyanzelweyo ithatha indawo yokuqala kunesetingi kwiifayile zoqwalaselo zehlabathi nezendawo. Iinketho ezahlukeneyo zokwenza lukhuni uqwalaselo lwakho lweKeePass zibhalwe kwi-Keepass-Enhanced-Security-Configuration GitHub yokugcina edweliswe kwicandelo lereferensi. Umzekelo, kunokwenzeka ukukhubaza ngokupheleleyo umsebenzi wokuvula (Izicwangciso ze-Xpath / iSicelo / iNkqubo yokuSebenza).

Imibutho isenokucinga ngokutshintshela komnye umphathi wephasiwedi oxhasa iivaults zeKeePass.

Okokugqibela sUkuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Izimvo, shiya eyakho

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.

  1.   kakuhle sitsho

    kunye nokuba sesichengeni okufanayo kuya kuba se-keepassxc?