Muva nje ukuvuselelwa kwephakheji yokulungisa kukhishwe ezinguqulweni ezahlukahlukene zeSamba, okwakuyizinguqulo I-4.15.2, i-4.14.10 ne-4.13.14, basebenzise izinguquko ezihlanganisa ukuqedwa kobungozi obuyi-8, okuningi kwakho okungaholela ekonakaleni okuphelele kwesizinda sohlu lwemibhalo olusebenzayo.
Kumele kuqashelwe ukuthi enye yezinkinga yalungiswa ngo-2016, futhi ezinhlanu, kusukela ngo-2020, nakuba ukulungiswa okukodwa kubangele ukungakwazi ukusebenzisa i-winbindd kuzilungiselelo zokuba khona «vumela izizinda ezethembekile = cha»(Abathuthukisi bahlose ukukhulula ngokushesha esinye isibuyekezo ukuze silungiswe).
Le misebenzi ingaba yingozi kakhulu ezandleni ezingalungile, njengoba umsebenzisi qNoma ubani odala ama-akhawunti anjalo unamalungelo abanzi hhayi nje ukuwadala futhi usethe amaphasiwedi abo, kodwa ukuze uwaqambe kabusha ngokuhamba kwesikhathi nge okuwukuphela kwemikhawulo ukuthi zingase zingafani ne-samAccountName ekhona.
Uma i-Samba isebenza njengelungu lesizinda se-AD futhi yamukela ithikithi le-Kerberos, kufanele mephu imininingwane etholakala lapho ku-ID yomsebenzisi we-UNIX yendawo (uid). Lokhu okwamanje kwenziwa ngegama le-akhawunti ku-Active Directory Isitifiketi Semfanelo Semfanelo Esenziwe I-Kerberos (PAC), noma i- igama le-akhawunti ethikithini (uma ingekho i-PAC).
Isibonelo, i-Samba izozama ukuthola umsebenzisi "DOMAIN \ user" ngaphambilini ephendukela ekuzameni ukuthola umsebenzisi "umsebenzisi". Uma usesho lwe-DOMAIN \ umsebenzisi lungahluleka, kusho ukuthi kuyilungelo ukukhuphuka kungenzeka.
Kulabo abangajwayelene ne-Samba, kufanele wazi ukuthi lena yiprojekthi eqhubeka nokwakhiwa kwegatsha le-Samba 4.x ngokuqaliswa okugcwele kwesilawuli sesizinda ne-Active Directory service, ehambisana nokusetshenziswa kweWindows 2000 futhi ekwazi ukusebenzisa zonke izinhlobo yamakhasimende weWindows asekelwa yiMicrosoft, kufaka phakathi iWindows 10.
ISamba 4, ngu umkhiqizo we-server osebenza ngemisebenzi eminingi, enikezela futhi ukwenziwa kweseva yefayela, insizakalo yokuphrinta neseva yokufakazela ubuqiniso (winbind).
Ezingozini eziye zaqedwa kuzibuyekezo ezikhishiwe, okulandelayo kuyashiwo:
- I-CVE-2020-25717- Ngenxa yephutha kumqondo wabasebenzisi besizinda sokwenza imephu kubasebenzisi besistimu yendawo, umsebenzisi wesizinda se-Active Directory onekhono lokudala ama-akhawunti amasha kusistimu yakhe, ephethwe nge-ms-DS-MachineAccountQuota, angathola ukufinyelela kwezimpande kwezinye izinhlelo ezifakiwe. esizindeni.
- I-CVE-2021-3738- Ukufinyelela endaweni yememori esivele ikhululiwe (Sebenzisa ngemva kwamahhala) ekusetshenzisweni kweseva ye-Samba AD DC RPC (dsdb), okungase kuholele ekunyukeni kwelungelo lapho ushintsha izilungiselelo zokuxhuma.
I-CVE-2016-2124- Uxhumano lweklayenti olusungulwe kusetshenziswa iphrothokholi ye-SMB1 lungadluliselwa ekudluliseleni imingcele yokuqinisekisa ngombhalo ongenalutho noma kusetshenziswa i-NTLM (isibonelo, ukuze kutholwe izifakazelo zokuhlaselwa kwe-MITM), ngisho noma umsebenzisi noma uhlelo lokusebenza lulungiselelwe njengokuqinisekisa Okuphoqelekile nge-Kerberos. - I-CVE-2020-25722- Ukuhlolwa okwanele kokufinyelela isitoreji akwenziwanga kusilawuli sesizinda se-Active Directory esisekelwe ku-Samba, okuvumela noma yimuphi umsebenzisi ukuba adlule izifakazelo futhi afake engozini ngokuphelele isizinda.
- I-CVE-2020-25718- Amathikithi e-Kerberos akhishwe i-RODC (umlawuli wesizinda sokufunda kuphela) awazange ahlukaniswe ngokufanelekile kusilawuli sesizinda se-Active Directory esisekelwe ku-Samba, esingasetshenziswa ukuthola amathikithi omlawuli ku-RODC ngaphandle kokuba negunya lokwenza lokho.
- I-CVE-2020-25719- Isilawuli sesizinda se-Active Directory esisekelwe ku-Samba asizange sihlale sicabangela izinkambu ze-SID ne-PAC kumathikithi e-Kerberos kuphakheji (uma kusetha okuthi "gensec: require_pac = true", igama kuphela kanye ne-PAC okungabalwanga), okuvumele umsebenzisi, ilungelo lokudala ama-akhawunti ohlelweni lwendawo, ukuzenza omunye umsebenzisi wesizinda, okuhlanganisa onelungelo.
- I-CVE-2020-25721: Kubasebenzisi abagunyazwe kusetshenziswa i-Kerberos, izihlonzi ezihlukile ze-Active Directory (objectSid) zazingakhishelwa ngaso sonke isikhathi, ezingaholela ekumpambanweni kwemigwaqo komsebenzisi.
- I-CVE-2021-23192- Ngesikhathi sokuhlasela kwe-MITM, bekungenzeka ukuthi kukhishwe izingcezwana ezicelweni ezinkulu ze-DCE/RPC ezahlukaniswa zaba izingxenye eziningi.
Okokugcina, uma ungathanda ukwazi okwengeziwe ngayo, ungathintana nemininingwane ku isixhumanisi esilandelayo.