I-Samba ifumene izilungiso ezahlukeneyo zebug ezisusa ubuthathaka obu-8

Darkcrizt

Imizuzu ye4

Mva nje uhlaziyo lwepakethi yokulungisa lukhutshwe kwiinguqulelo ezahlukeneyo zeSamba, ezaziziinguqulelo 4.15.2, 4.14.10 kunye ne-4.13.14, baphumeze utshintsho olubandakanya ukupheliswa kwe-8 vulnerabilities, eninzi enokuthi iholele kwi-compromise epheleleyo ye-Active Directory domain.

Kufuneka kuqatshelwe ukuba enye yemicimbi yalungiswa ngo-2016, kwaye emihlanu, ukususela ngo-2020, nangona ukulungiswa okunye kubangele ukungakwazi ukuqhuba i-winbindd kwimimiselo yobukho «vumela imimandla ethembekileyo = hayi»(Abaphuhlisi bajonge ukukhulula ngokukhawuleza olunye uhlaziyo ukuze lulungiswe).

Le misebenzi inokuba yingozi kwizandla ezingalunganga, njengoko umsebenzisi qNabani na owenza iiakhawunti ezinjalo unamalungelo abanzi kungekuphela nje ukuwenza kwaye bacwangcise amagama abo agqithisiweyo, kodwa ukuwabiza ngokutsha emva kwexesha nge ekuphela kwesithintelo kukuba zingangahambelani nesamAccountName esele ikhona.

Xa iSamba isebenza njengelungu lesizinda se-AD kwaye yamkela itikiti leKerberos, kufuneka Imephu ulwazi olufunyenwe apho kwi-ID yomsebenzisi ye-UNIX yobulali (uid). Oku yenziwa ngoku nge-akhawunti yegama kwi-Active Directory Siveliswe iSatifikethi soMbalelo oLungelelweyo weKerberos (PAC), okanye i igama le-akhawunti kwitikiti (ukuba akukho PAC).

Umzekelo, iSamba iza kuzama ukufumana umsebenzisi "DOMAIN \ umsebenzisi" ngaphambili ebhenela ekuzameni ukufumana umsebenzisi "umsebenzisi". Ukuba uphendlo lwe- DOMAIN \ umsebenzisi unokusilela, lilungelo ukunyuka kunokwenzeka.

Kulabo abangaqhelekanga ngeSamba, kuya kufuneka uyazi ukuba le yiprojekthi eqhubeka nokuphuhliswa kwesebe leSamba 4.x ngomiliselo olupheleleyo lomlawuli wedomeyini kunye nenkonzo ye-Active Directory, ehambelana nokuphunyezwa kweWindows 2000 kwaye inakho ukukhonza zonke iinguqulelo. Abaxhasi beWindows abaxhaswa nguMicrosoft, kubandakanya Windows 10.

USamba 4, ngu imveliso yeserver yemisebenzi emininzi, ekwabonelela ngokuphunyezwa kweseva yefayile, inkonzo yokuprinta kunye neseva yokuqinisekisa (winbind).

Kubuthathaka obuthe basuswa kuhlaziyo olukhutshiweyo, oku kulandelayo kukhankanyiwe:

  • I-CVE-2020-25717Ngenxa yesiphene kwingqiqo yabasebenzisi be-domain yemephu kubasebenzisi benkqubo yendawo, umsebenzisi wesizinda se-Active Directory onekhono lokudala ii-akhawunti ezintsha kwinkqubo yabo, elawulwa nge-ms-DS-MachineAccountQuota, unokufumana ukufikelela kweengcambu kwezinye iinkqubo ezibandakanyiweyo. kwindawo.
  • I-CVE-2021-3738- Ukufikelela kwindawo yememori esele ikhululiwe (Sebenzisa emva kokukhululeka) kwi-Samba AD DC RPC (dsdb) uphunyezo lomncedisi, olunokuthi lukhokelele ekunyukeni kwamalungelo xa ulawula useto loqhagamshelo.
    I-CVE-2016-2124- Uqhagamshelo lomxhasi olusekwe kusetyenziswa i-SMB1 protocol inokudluliselwa ekugqithiseni iiparamitha zokuqinisekisa kumbhalo ocacileyo okanye ukusebenzisa i-NTLM (umzekelo, ukumisela iziqinisekiso zokuhlaselwa kwe-MITM), nokuba umsebenzisi okanye isicelo siqwalaselwe njengobungqinisiso Unyanzeliso ngeKerberos.
  • I-CVE-2020-25722- Ukuhlolwa okwaneleyo kokufikelela kwisitoreji akuzange kwenziwe kwi-Samba-based Active Directory isilawuli se-domain, evumela nawuphi na umsebenzisi ukuba adlule iziqinisekiso kunye nokunciphisa ngokupheleleyo i-domain.
  • I-CVE-2020-25718- Amathikithi e-Kerberos akhutshwe yi-RODC (umlawuli wesizinda sokufunda kuphela) ayengahlukaniswanga ngokufanelekileyo kwi-Samba-based Active Directory domain controller, engasetyenziselwa ukufumana amathikithi omlawuli kwi-RODC ngaphandle kokuba negunya lokwenza oko.
  • I-CVE-2020-25719- Umlawuli wesizinda se-Active Directory esekwe kwi-Samba akasoloko ethathela ingqalelo amasimi e-SID kunye ne-PAC kumatikiti e-Kerberos kwiphakheji (xa useta "gensec: demand_pac = true", kuphela igama kunye ne-PAC engathathelwa ngqalelo), evumela umsebenzisi, oye ilungelo lokwenza ii-akhawunti kwisixokelelwano sendawo, ukulinganisa omnye umsebenzisi we-domain, kuquka nonelungelo.
  • I-CVE-2020-25721: Kubasebenzisi abaqinisekisiweyo kusetyenziswa i-Kerberos, izichazi ezizodwa ze-Active Directory (objectSid) bezingasoloko zikhutshwa, nto leyo enokukhokelela ekudibaneni komsebenzisi.
  • I-CVE-2021-23192- Ngexesha lohlaselo lwe-MITM, kwakunokwenzeka ukutshabalalisa amaqhekeza kwizicelo ezinkulu ze-DCE / RPC ezahlulahlulwe zaba ngamacandelo amaninzi.

Okokugqibela, ukuba unomdla wokwazi ngakumbi ngayo, ungajonga iinkcukacha kwi eli khonkco lilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.