Bathole ubungozi ku-KeePass obuvumela ukwebiwa kwephasiwedi

Darkcrizt

Imizuzu ye-4

Ukuba sengozini

Uma exhashazwa, lawa maphutha angavumela abahlaseli ukuthi bathole ukufinyelela okungagunyaziwe kulwazi olubucayi noma ngokuvamile babangele izinkinga.

Ulwazi lusanda kwaziwa ukuthi kumphathi wephasiwedi, I-KeePass, kuze kufike kunguqulo 2.53 (ekufakweni okuzenzakalelayo) ivumela umhlaseli, enokufinyelela kokubhala kufayela lokumisa le-XML, thola amagama ayimfihlo ngombhalo ongenalutho ngokwengeza ukuthekelisa kokucupha.

Kulabo abangazi nge-KeePass, kufanele ukwazi lokho lesi isiphathi sephasiwedi somthombo ovulekile odume kakhulu okukuvumela ukuthi uphathe amaphasiwedi usebenzisa isizindalwazi esigcinwe endaweni, esikhundleni saleyo esingethwe emafini, njenge-LastPass noma i-Bitwarden.

Ukuze kuvikelwe lezi sizindalwazi sasendaweni, abasebenzisi bangazibhala ngemfihlo ngephasiwedi eyinhloko ukuze uhlelo olungayilungele ikhompuyutha noma ubugebengu be-inthanethi bangakwazi ukuvele beba isizindalwazi bese befinyelela ngokuzenzakalelayo amagama ayimfihlo agcinwe lapho.

Mayelana nokuba sengozini kwe-CVE-2023-24055

Ukuba sengozini okuhlonzwe yi-CVE-2023-24055, ivumela umuntu ngokufinyelela kokubhala ohlelweni lwalokho okuqondiwe lungisa ifayela lokumisa le-KeePass XML futhi ujove uhlelo olungayilungele ikhompuyutha i-trigger engakhipha isizindalwazi, okuhlanganisa wonke amagama abasebenzisi namagama ayimfihlo kumbhalo ongenalutho.

Isikhundla somthengisi ukuthi isizindalwazi sephasiwedi ayakhelwe ukuthi ivikeleke kumhlaseli onaleli zinga lokufinyelela ku-PC yendawo.

Ngokuzayo lapho ithagethi iqala i-KeePass bese ufaka iphasiwedi eyinhloko ukuze uvule futhi ubhale phansi isizindalwazi, umthetho wokuthekelisa uzoqaliswa futhi okuqukethwe kusizindalwazi kuzolondolozwa efayeleni abahlaseli abangavuza ohlelweni olungaphansi kolawulo lwabo.

Nokho, le nqubo yokuthekelisa iqala ngemuva ngaphandle kokuthi umsebenzisi aziswe noma i-KeePass icele ukuthi kufakwe igama-mfihlo eliyinhloko njengesiqinisekiso ngaphambi kokuthekelisa, okuvumela umhlaseli ukuthi afinyelele buthule wonke amaphasiwedi agciniwe.

Ngenkathi i Amaqembu e-CERT avela eNetherlands naseBelgium nawo akhiphe izeluleko zokuphepha Mayelana ne-CVE-2023-24055, ithimba lokuthuthukisa le I-KeePass ithi lokhu akumele kufakwe kusigaba sobungozi njengoba abahlaseli abanokufinyelela kokubhala kudivayisi yalowo oqondiswe kubo bangathola ulwazi kusizindalwazi se-KeePass ngezinye izindlela.

Ithimba laseBelgium CERT liphakamisa ukuthi kusetshenziswe indlela yokunciphisa ngesici sokumisa esiqinile, “njengoba singekho isiqeshana esizotholakala. Lesi sici senzelwe abalawuli benethiwekhi abafuna ukuphoqelela izilungiselelo ezithile kubasebenzisi ukuze bafake i-KeePass, kodwa futhi singasetshenziswa abasebenzisi bokugcina ukwenza lukhuni ukucushwa kwe-KeePass. Nokho, lokhu kuqina kwenza umqondo kuphela uma umsebenzisi wokugcina engakwazi ukulungisa leli fayela.

Futhi yilokho I-KeePass iveze ukuthi ngeke ikhiphe izibuyekezo zokuphepha ukulungisa ubungozi. Isikhundla sikanjiniyela siwukuthi uma umhlaseli ononya esekwazi ukufinyelela isistimu yesisulu, ayikho indlela ephusile yokuvimbela ukwebiwa kwedatha egciniwe.

Nokho, I-KeePass inikeza abalawuli wezinhlelo ikhono lokuvimbela ukuhlukumeza ngokusebenzisa izilungiselelo ezithile:

  1. Ukusetshenziswa kokucushwa kwenziwa ngalokho okubizwa ngokuthi ifayela lokumisa eliphoqelelwe
  2. Ukusetha ipharamitha ethi "ExportNoKey" ibe "amanga" kuqinisekisa ukuthi iphasiwedi eyinhloko iyadingeka ukuze ukhiphe idatha elondoloziwe.
  3. Lokhu kuvimbela umuntu ononya ekukhipheni ngokuyimfihlo idatha ebucayi.

Izilungiselelo kufayela le-KeePass.config.enforced.xml eliphoqelelwe lokumisa liza kuqala kunezilungiselelo kumafayela okumisa omhlaba wonke nawendawo. Izinketho ezihlukahlukene zokwenza lukhuni ukumisa kwakho kwe-KeePass zibhalwe ku-Keepass-Enhanced-Security-Configuration GitHub repository esohlwini lwesigaba sereferensi. Isibonelo, kungenzeka ukukhubaza ngokuphelele umsebenzi wokwenza kusebenze (Izilungiselelo ze-Xpath/Isicelo/Ukuqalisa Kwesistimu).

Izinhlangano zingase futhi zicabange ukushintshela kwesinye isiphathi-magama sephasiwedi esisekela ama-vault amaphasiwedi e-KeePass.

Ekugcineni sUma unesifiso sokwazi okwengeziwe ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.

  1.   kahle kusho
    kwenza Unyaka we-1

    kanye nokuba sengozini okufanayo kungaba kwe-keepassxc?

    Phendula kahle