Samba adalandira zokonza zolakwika zosiyanasiyana zomwe zimachotsa zovuta 8

Mdima wamdima Kusinthidwa

Palibe ndemanga

Posachedwa zosintha za phukusi zidatulutsidwa m'mitundu yosiyanasiyana ya Samba, amene anali matembenuzidwe 4.15.2, 4.14.10 ndi 4.13.14, adakhazikitsa zosintha zomwe zikuphatikiza kuchotsa ziwopsezo za 8, zambiri zomwe zingayambitse kusagwirizana kwathunthu kwa Active Directory domain.

Tiyenera kudziwa kuti imodzi mwazinthuzo idakhazikitsidwa mu 2016, ndipo zisanu, kuyambira 2020, ngakhale kukonza kumodzi kudapangitsa kuti tisamayendetse winbindd pamalo ochezera «kulola madera odalirika = ayi»(Madivelopa akufuna kutulutsa nthawi yomweyo zosintha zina kuti zikonzedwe).

Ntchito izi zitha kukhala zowopsa m'manja olakwika, monga wogwiritsa qAliyense amene amapanga maakaunti otere ali ndi mwayi wochulukirapo osati kungopanga okha ndikuyika mawu achinsinsi awo, koma kuti muwatchulenso pambuyo pake choletsa chokha ndichakuti sizingafanane ndi samAccountName yomwe ilipo.

Samba ikakhala ngati membala wa dera la AD ndikuvomera tikiti ya Kerberos, iyenera jambulani zomwe zapezeka pamenepo ku ID ya wosuta ya UNIX (uid). Izi ikuchitika kudzera mu dzina la akaunti mu Active Directory Satifiketi Yopangidwa ndi Kerberos Privileged Attribute Certificate (PAC), kapena dzina la akaunti pa tikiti (ngati palibe PAC).

Mwachitsanzo, Samba idzayesa kupeza wosuta "DOMAIN \ user" kale kuyesera kupeza wosuta "wosuta". Ngati kusaka kwa DOMAIN \ wosuta kungalephereke, ndiye mwayi kukwera ndi kotheka.

Kwa iwo omwe sadziwa bwino Samba, muyenera kudziwa kuti iyi ndi projekiti yomwe ikupitiliza kukhazikitsa nthambi ya Samba 4.x ndikukhazikitsa kwathunthu kwa domain domain ndi Active Directory service, yogwirizana ndi kukhazikitsa kwa Windows 2000 ndikutha kugwiritsa ntchito mitundu yonse ya makasitomala a Windows othandizidwa ndi Microsoft, kuphatikiza Windows 10.

Samba 4, ndi ntchito yama seva ambiri, zomwe zimaperekanso kukhazikitsa seva ya fayilo, ntchito yosindikiza ndi seva yotsimikizira (winbind).

Pazowopsa zomwe zidachotsedwa pazosintha zomwe zidatulutsidwa, zotsatirazi zikutchulidwa:

  • CVE-2020-25717- Chifukwa cha zolakwika m'malingaliro a ogwiritsa ntchito madomeni kwa ogwiritsa ntchito makina am'deralo, wogwiritsa ntchito Active Directory domain yemwe amatha kupanga maakaunti atsopano pamakina awo, motsogozedwa ndi ms-DS-MachineAccountQuota, atha kupeza mizu kuzinthu zina zomwe zikuphatikizidwa. mu domain.
  • CVE-2021-3738- Kufikira malo okumbukira omwe adamasulidwa kale (Gwiritsani ntchito pambuyo paulere) mu kukhazikitsa kwa seva ya Samba AD DC RPC (dsdb), zomwe zitha kubweretsa mwayi wokulirapo pakuwongolera zokonda zolumikizira.
    CVE-2016-2124- Malumikizidwe amakasitomala okhazikitsidwa pogwiritsa ntchito protocol ya SMB1 atha kuperekedwa kuti atumize magawo otsimikizira m'mawu osavuta kapena kugwiritsa ntchito NTLM (mwachitsanzo, kudziwa zidziwitso za kuwukira kwa MITM), ngakhale wogwiritsa ntchitoyo kapena pulogalamuyo itasinthidwa kukhala yovomerezeka Yovomerezeka kudzera ku Kerberos.
  • CVE-2020-25722- Kuwunika kokwanira kosungirako sikunachitike pa Samba-based Active Directory domain controller, kulola wogwiritsa ntchito aliyense kuti alambalale zidziwitso ndikusokoneza dera lonselo.
  • CVE-2020-25718- Matikiti a Kerberos operekedwa ndi RODC (woyang'anira malo owerengera okha) sanapatulidwe bwino kwa Samba-based Active Directory domain controller, omwe angagwiritsidwe ntchito kupeza matikiti otsogolera kuchokera ku RODC popanda kukhala ndi mphamvu zochitira zimenezo.
  • CVE-2020-25719- Woyang'anira domeni ya Active Directory yochokera ku Samba nthawi zonse samaganizira za SID ndi PAC mu matikiti a Kerberos mu phukusi (pokhazikitsa "gensec: needs_pac = true", dzina lokha ndi PAC sizimaganiziridwa), zomwe zimalola wogwiritsa ntchito, yemwe ufulu wopanga maakaunti pamakina akomweko, kutengera wogwiritsa ntchito wina, kuphatikiza wodalitsika.
  • Kufotokozera: CVE-2020-25721: Kwa ogwiritsa ntchito omwe amatsimikiziridwa pogwiritsa ntchito Kerberos, zozindikiritsa zapadera za Active Directory (objectSid) sizinaperekedwe nthawi zonse, zomwe zimatha kupangitsa kuti ogwiritsa ntchito azidutsa.
  • CVE-2021-23192- Pakuukira kwa MITM, zidatheka kuwononga zidutswa muzopempha zazikulu za DCE / RPC zomwe zidagawika magawo angapo.

Pomaliza, ngati mukufuna kudziwa zambiri za izi, mutha kuwona zambiri mu ulalo wotsatirawu.


Zomwe zili m'nkhaniyi zikutsatira mfundo zathu za malamulo okonzekera. Kuti mufotokoze cholakwika dinani Apa.

Khalani oyamba kuyankha

Siyani ndemanga yanu

Anu email sati lofalitsidwa. Amafuna minda amalembedwa ndi *

*

*

  1. Wotsogolera pazosankhazi: Miguel Ángel Gatón
  2. Cholinga cha deta: Control SPAM, kasamalidwe ka ndemanga.
  3. Kukhazikitsa: Kuvomereza kwanu
  4. Kulumikizana kwa zomwe zafotokozedwazo: Zomwezo siziziwululidwa kwa anthu ena kupatula pakukakamizidwa mwalamulo.
  5. Zosunga: Zosungidwa ndi Occentus Networks (EU)
  6. Ufulu: Nthawi iliyonse mutha kuchepetsa, kuchira ndikuchotsa zidziwitso zanu.