TZCERT – 2014-06: Tahadhari ya Shambulio
Vyeti vya kidijiti vilivyotolewa kiholela vinaweza kuruhusu udanganyifu
Tarehe ya Toleo la Kwanza: 14-07-2014
Tarehe ya Toleo la Mwisho: 14-07-2014
Chanzo: Microsoft
System Affected:
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista Service Pack 2
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
Windows 8 for 32-bit Systems
Windows 8 for x64-based Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for 32-bit Systems
Windows 8.1 for x64-based Systems
Windows RT
Windows RT 8.1
Windows Server 2012
Windows Server 2012 R2
Server Core installation option
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems (Server Core installation)
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2 (Server Core installation)
Vitumi Vilivyoathirika:
Windows Phone 8 na Windows Phone 8.1
Hali Ilivyo
SSL iliyotolewa kiholela inaweza kutumiwa kwa jaribio la kuumbua maudhui, kutekeleza mashambulio ya ulaghai au kutekeleza mashambulizi ya ‘mtu- wa-kati’ dhidi ya rasilimali za mtandao.
Maelezo
Vyeti vya SSL vilitolewa kwa makosa na Kituo cha Taaluma ya Taarifa (NIC) inayoongoza Mamlaka ya Uthibitishaji (CA) ya chini/ndogo.
Athari
Viambatisho vya Usalama (Vyeti) vilivyotumiliwa vinaweza kutumiwa kwa jaribio la kuumbua maudhui, kutekeleza mashambulio ya ulaghai au kutekeleza mashambulizi ya ‘mtu- wa-kati’ dhidi ya rasilimali za mtandao.
Utatuzi:
Microsoft inahuisha Orodha ya Uaminifu wa Viambatisho vya Usalama (vyeti)(CTL) kwa matoleo yote yanayodhaminiwa ya Microsoft Windows kuondoa uthibitisho wa vyeti unaosababisha tatizo hili. Watumiaji na watawala wanahimizwa kutumia mahuisho yanayostahili kama inavyotajwa kwenye julisho la Usalama la Microsoft 2982792
Marejeo
Microsoft: https://technet.microsoft.com/en-us/library/security/2982792.aspx