I-Samba ithole ukulungiswa kweziphazamisi okuhlukahlukene okususa ubungozi obuyi-8

Darkcrizt

Imizuzu ye-4

Muva nje ukuvuselelwa kwephakheji yokulungisa kukhishwe ezinguqulweni ezahlukahlukene zeSamba, okwakuyizinguqulo I-4.15.2, i-4.14.10 ne-4.13.14, basebenzise izinguquko ezihlanganisa ukuqedwa kobungozi obuyi-8, okuningi kwakho okungaholela ekonakaleni okuphelele kwesizinda sohlu lwemibhalo olusebenzayo.

Kumele kuqashelwe ukuthi enye yezinkinga yalungiswa ngo-2016, futhi ezinhlanu, kusukela ngo-2020, nakuba ukulungiswa okukodwa kubangele ukungakwazi ukusebenzisa i-winbindd kuzilungiselelo zokuba khona «vumela izizinda ezethembekile = cha»(Abathuthukisi bahlose ukukhulula ngokushesha esinye isibuyekezo ukuze silungiswe).

Le misebenzi ingaba yingozi kakhulu ezandleni ezingalungile, njengoba umsebenzisi qNoma ubani odala ama-akhawunti anjalo unamalungelo abanzi hhayi nje ukuwadala futhi usethe amaphasiwedi abo, kodwa ukuze uwaqambe kabusha ngokuhamba kwesikhathi nge okuwukuphela kwemikhawulo ukuthi zingase zingafani ne-samAccountName ekhona.

Uma i-Samba isebenza njengelungu lesizinda se-AD futhi yamukela ithikithi le-Kerberos, kufanele mephu imininingwane etholakala lapho ku-ID yomsebenzisi we-UNIX yendawo (uid). Lokhu okwamanje kwenziwa ngegama le-akhawunti ku-Active Directory Isitifiketi Semfanelo Semfanelo Esenziwe I-Kerberos (PAC), noma i- igama le-akhawunti ethikithini (uma ingekho i-PAC).

Isibonelo, i-Samba izozama ukuthola umsebenzisi "DOMAIN \ user" ngaphambilini ephendukela ekuzameni ukuthola umsebenzisi "umsebenzisi". Uma usesho lwe-DOMAIN \ umsebenzisi lungahluleka, kusho ukuthi kuyilungelo ukukhuphuka kungenzeka.

Kulabo abangajwayelene ne-Samba, kufanele wazi ukuthi lena yiprojekthi eqhubeka nokwakhiwa kwegatsha le-Samba 4.x ngokuqaliswa okugcwele kwesilawuli sesizinda ne-Active Directory service, ehambisana nokusetshenziswa kweWindows 2000 futhi ekwazi ukusebenzisa zonke izinhlobo yamakhasimende weWindows asekelwa yiMicrosoft, kufaka phakathi iWindows 10.

ISamba 4, ngu umkhiqizo we-server osebenza ngemisebenzi eminingi, enikezela futhi ukwenziwa kweseva yefayela, insizakalo yokuphrinta neseva yokufakazela ubuqiniso (winbind).

Ezingozini eziye zaqedwa kuzibuyekezo ezikhishiwe, okulandelayo kuyashiwo:

  • I-CVE-2020-25717- Ngenxa yephutha kumqondo wabasebenzisi besizinda sokwenza imephu kubasebenzisi besistimu yendawo, umsebenzisi wesizinda se-Active Directory onekhono lokudala ama-akhawunti amasha kusistimu yakhe, ephethwe nge-ms-DS-MachineAccountQuota, angathola ukufinyelela kwezimpande kwezinye izinhlelo ezifakiwe. esizindeni.
  • I-CVE-2021-3738- Ukufinyelela endaweni yememori esivele ikhululiwe (Sebenzisa ngemva kwamahhala) ekusetshenzisweni kweseva ye-Samba AD DC RPC (dsdb), okungase kuholele ekunyukeni kwelungelo lapho ushintsha izilungiselelo zokuxhuma.
    I-CVE-2016-2124- Uxhumano lweklayenti olusungulwe kusetshenziswa iphrothokholi ye-SMB1 lungadluliselwa ekudluliseleni imingcele yokuqinisekisa ngombhalo ongenalutho noma kusetshenziswa i-NTLM (isibonelo, ukuze kutholwe izifakazelo zokuhlaselwa kwe-MITM), ngisho noma umsebenzisi noma uhlelo lokusebenza lulungiselelwe njengokuqinisekisa Okuphoqelekile nge-Kerberos.
  • I-CVE-2020-25722- Ukuhlolwa okwanele kokufinyelela isitoreji akwenziwanga kusilawuli sesizinda se-Active Directory esisekelwe ku-Samba, okuvumela noma yimuphi umsebenzisi ukuba adlule izifakazelo futhi afake engozini ngokuphelele isizinda.
  • I-CVE-2020-25718- Amathikithi e-Kerberos akhishwe i-RODC (umlawuli wesizinda sokufunda kuphela) awazange ahlukaniswe ngokufanelekile kusilawuli sesizinda se-Active Directory esisekelwe ku-Samba, esingasetshenziswa ukuthola amathikithi omlawuli ku-RODC ngaphandle kokuba negunya lokwenza lokho.
  • I-CVE-2020-25719- Isilawuli sesizinda se-Active Directory esisekelwe ku-Samba asizange sihlale sicabangela izinkambu ze-SID ne-PAC kumathikithi e-Kerberos kuphakheji (uma kusetha okuthi "gensec: require_pac = true", igama kuphela kanye ne-PAC okungabalwanga), okuvumele umsebenzisi, ilungelo lokudala ama-akhawunti ohlelweni lwendawo, ukuzenza omunye umsebenzisi wesizinda, okuhlanganisa onelungelo.
  • I-CVE-2020-25721: Kubasebenzisi abagunyazwe kusetshenziswa i-Kerberos, izihlonzi ezihlukile ze-Active Directory (objectSid) zazingakhishelwa ngaso sonke isikhathi, ezingaholela ekumpambanweni kwemigwaqo komsebenzisi.
  • I-CVE-2021-23192- Ngesikhathi sokuhlasela kwe-MITM, bekungenzeka ukuthi kukhishwe izingcezwana ezicelweni ezinkulu ze-DCE/RPC ezahlukaniswa zaba izingxenye eziningi.

Okokugcina, uma ungathanda ukwazi okwengeziwe ngayo, ungathintana nemininingwane ku isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.