Abaphuhlisi beprojekthi yeSamba bavuliwe Kutshanje ngesibhengezo kubasebenzisi malunga ukufunyanwa kwe «ZeroLogin» ukuba sesichengeni kwiWindows (CVE-2020-1472) kwaye nayo se ibonakaliswe ekuphunyezweni ukusuka kumlawuli wedomeyini isekwe kwiSamba.
Ukuba sesichengeni Kubangelwa yi-glitches kwi-MS-NRPC protocol kunye ne-AES-CFB8 crypto algorithm, kwaye ukuba ithe yaxhaphazwa ngempumelelo, ivumela umhlaseli ukuba afumane amalungelo olawulo kumlawuli wedomeyini.
Umongo wokuba sesichengeni kukuba i-MS-NRPC (iProtlogon Remote Protocol) ivumela ukutshintshiselana kwedatha yokuqinisekisa ukubhenela ekusebenziseni uqhagamshelo lwe-RPC akukho khowudi.
Umhlaseli emva koko unokusebenzisa isiphoso kwi-AES-CFB8 algorithm ukuze spoof (spoof) ungene ngempumelelo. Malunga ne-256 yeenzame zokuphamba ziyafuneka Ukungena ngamalungelo okuphatha ngokomndilili.
Uhlaselo aludingi akhawunti esebenzayo kumlawuli wesizinda; Imizamo yokulingisa inokwenziwa ngegama eligqithisiweyo.
Isicelo sokungqinisisa i-NTLM siya kubhekiswa kwakhona kumlawuli wesizinda, oya kuthi abuyisele ufikelelo, kodwa umhlaseli angayichitha le mpendulo kwaye inkqubo ehlaselweyo iyakuthathela ingqalelo ukungena ngempumelelo.
Ukuphakanyiswa kwelungelo lokuba sesichengeni kubakho xa umhlaseli ebeka unxibelelwano olukhuselekileyo lweNetlogon kumjelo wolawulo, esebenzisa iProtlogon Remote Protocol (MS-NRPC). Umhlaseli osebenzise ngempumelelo ubungozi unokuqhuba usetyenziso olwenziweyo ngokukodwa kwisixhobo senethiwekhi.
Ukuxhaphaza ukuba semngciphekweni, umhlaseli ongagunyaziswanga uya kufuneka asebenzise i-MS-NRPC ukunxibelelana nomlawuli wedomeyini ukuze afumane ukufikelela kumlawuli wesizinda.
KwiSamba, ukuba sesichengeni kubonakala kuphela kwiinkqubo ezingasebenzisi "iseva schannel = ewe" useto, Okungagqibekanga ukusukela ngeSamba 4.8.
Ngokukodwa iinkqubo ezineesetingi "iseva schannel = hayi" kunye "neseva schannel = auto" inokulaliswa, evumela iSamba ukuba isebenzise iziphene ezifanayo kwi-AES-CFB8 algorithm njengakwiWindows.
Xa usebenzisa iWindows ekulungele ukuxhaphaza umzekelo wereferensi, kuphela ngumlilo weServerAuthenticate3 kwimililo eSamba kunye nokusebenza kweServerPasswordSet2 kusilele (ukuxhaphaza kufuna ulungelelwaniso lweSamba).
Kungenxa yoko le nto abaphuhlisi beSamba bemema abasebenzisi abenze utshintsho ku iseva schannel = ewe kuye "hayi" okanye "auto", buyela kuseto olungagqibekanga "ewe" kwaye ngaloo ndlela uphephe ingxaki yokuba sesichengeni.
Akukho nto yaxelwa kwintsebenzo yezinye iindlela, nangona iinzame zokuhlasela iinkqubo zinokulandelwa ngokuhlalutya ubukho bamangeniso ngokukhankanywa kweServerAuthenticate3 kunye neServerPasswordSet kwilog zophicotho lweSamba.
IMicrosoft ijongana nokuba sesichengeni kokuhanjiswa ngamanqanaba amabini. Olu hlaziyo lujongana nokuba sesichengeni ngokuguqula indlela iNetlogon ephatha ngayo ukusetyenziswa kweendlela ezikhuselekileyo zeNetlogon.
Xa inqanaba lesibini lohlaziyo lweWindows lifumaneka kwi-Q2021 XNUMX, abathengi baya kwaziswa ngesiqendu kolu khuseleko.
Okokugqibela, kwabo bangabasebenzisi beenguqulelo ze-samba zangaphambili, yenza uhlaziyo olufanelekileyo kuhlobo lwamva oluzinzileyo lwe-samba okanye ukhethe ukusebenzisa ii-patches ezihambelanayo ukusombulula le meko.
I-Samba inokhuseleko oluthile kule ngxaki kuba ukusukela kwi-Samba 4.8 sinexabiso elingagqibekanga 'leseva schannel = ewe'.
Abasebenzisi abatshintshe oku kungagqibekanga bayalumkiswa ukuba i-Samba iphumeza ngokunyanisekileyo umthetho olandelwayo we-AES kwaye ngenxa yoko iwela kwisiphene sokwenza uyilo olufanayo.
Ababoneleli abaxhasa iSamba 4.7 kunye neenguqulelo zangaphambili kufuneka babambe ufakelo kunye neephakeji ukutshintsha oku kungagqibekanga.
AWAQHELEKANGA kwaye siyathemba ukuba angakhokelela kwisivumelwano esipheleleyo sedomain, ngakumbi kwimimandla ye-AD.
Ekugqibeleni, ukuba unomdla wokwazi okungakumbi ngayo malunga nobungozi unokujonga izibhengezo ezenziwe liqela le-samba (kule khonkcookanye nguMicrosoft (kwesi sixhobo).