Zimbalwa iintsuku ezidlulileyo UMicrosoft ufumene uthotho lwezigxeko ezomeleleyo ngabaphuhlisi abaninzi emva kweGitHub cima ikhowudi kwi-Exchange xploit Kwaye nangona ininzi inokuba yeyona nto isengqiqweni, nangona eyona ngxaki yeyokuba yayizii-PoC xplots zokuba sesichengeni, esetyenziswa njengomgangatho phakathi kwabaphandi bezokhuseleko.
Oku kubanceda baqonde ukuba uhlaselo lusebenza njani ukuze bakwazi ukwakha iindlela zokhuselo ezingcono. Eli nyathelo liye labacaphukisa abaphandi abaninzi bezokhuseleko, njengoko uhlobo lokuxhaphaza lwakhutshwa emva kokukhutshwa kwesiqwengana, into eqhelekileyo.
Kukho igatya kwimithetho yeGitHub ethintela ukubekwa kwekhowudi enobungozi Ukusebenza okanye ukuxhaphaza (Oko kukuthi, ukuhlasela iinkqubo zabasebenzisi) kwii-repositories, kunye nokusetyenziswa kweGitHub njengeqonga lokuhambisa ukuxhaphaza kunye nekhowudi eyingozi ngexesha lokuhlaselwa.
Nangona kunjalo, lo mthetho awuzange ngaphambili usetyenziswe kwiiprototypes. ikhowudi epapashwe ngabaphandi ezipapashiweyo ukuhlalutya iindlela zokuhlasela emva kokuba umthengisi ekhuphe isichibi.
Kuba ikhowudi enjalo ayisuswanga, IMicrosoft ibone izabelo zeGitHub njengokusebenzisa isixhobo solawulo ukuvimba ulwazi malunga nokuba semngciphekweni kwimveliso yakho.
Abagxeki batyhola uMicrosoft ukuba nomgangatho ophindwe kabini kunye Ukujonga umxholo umdla omkhulu kuluntu lophando ngezokhuseleko kuba nje umxholo uyingozi kwimidla kaMicrosoft.
Ngokwelungu leqela leQela leProjekthi kaGoogle, inkqubo yokupapashwa kokuxhaphaza ilungile, kwaye izibonelelo zigqithile kumngcipheko, kuba akukho ndlela yokwabelana ngeziphumo zophando kunye nezinye iingcali ukuze olu lwazi lungangeni izandla zabahlaseli.
Umphandi I-Kryptos Logic yazama ukuphikisana, ukubonisa ukuba kwimeko apho kusekho ngaphezulu kwama-50 amawaka eeseva zeMicrosoft Exchange eziphelelwe lixesha kwinethiwekhi, Ukupapashwa kweendlela zokuxhaphaza ezilungeleyo ukwenza uhlaselo kubonakala kungathandabuzekiyo.
Umonakalo okhutshwa kwangoko kokuxhaphaza kunokubangela ukuba kudlule isibonelelo kubaphandi bezokhuseleko, njengoko ezo zinto zibeka emngciphekweni inani elikhulu leeseva ezingekafaki uhlaziyo.
I-GitHub reps igqabaze ngokususwa njengophula umthetho Yenkonzo (eyamkelekileyo iMigaqo-nkqubo yokuSebenzisa) kwaye bathi bayakuqonda ukubaluleka kokupapasha ukuxhaphaza iiprototypes ngeenjongo zokufundisa kunye nophando, kodwa bayayiqonda ingozi yomonakalo abanokuthi bawenze ezandleni zabahlaseli.
Ngoko ke, IGitHub izama ukufumana eyona ibhalansi phakathi komdla zoluntu uphando ngokhuseleko nokhuselo lwamaxhoba anokubakho. Kule meko, kwafunyaniswa ukuba ukupapasha ukuxhaphaza kulungele uhlaselo, ukuba nje kukho inani elikhulu leenkqubo ezingekahlaziywa, wophula imigaqo yeGitHub.
Kuyaphawuleka ukuba uhlaselo lwaqala ngoJanuwari, ngaphambi kokukhutshwa kwesiqwengana kunye nokuxelwa kolwazi malunga nokuba semngciphekweni (usuku lwe-0). Phambi kokuba iprototype yokuxhaphaza ipapashwe, sele ihlaselwe malunga neeseva ezingama-100, apho kufakwe khona umnyango wangasemva wolawulo kude.
Kwi-GitHub ekude exhaphaza prototype, i-CVE-2021-26855 (ProxyLogon) yokuba semngciphekweni kubonisiwe, ukuvumela ukuba ukhuphe idatha kumsebenzisi ongenamthetho ngaphandle kokungqinisisa. Ngokudibeneyo ne-CVE-2021-27065, ukuba sesichengeni kukwakuvumela ukuba usebenze ikhowudi yakho kwiserver enamalungelo olawulo.
Asizizo zonke izinto ezixhaphakileyo ezisusiweyo, Umzekelo, uguqulelo olwenziwe lula lolunye uxhaphazo olwenziwe liqela leGreyOrder luhlala kwiGitHub.
Inqaku lokuxhaphaza libonisa ukuba ukuxhaphaza kwasekuqaleni kweGreyOrder kwasuswa emva kokuba kongezwe ukusebenza okongeziweyo kwikhowudi ukudwelisa abasebenzisi kwiseva yeposi, enokusetyenziselwa ukwenza uhlaselo olukhulu ngokuchasene neenkampani ezisebenzisa iMicrosoft Exchange.