ProHoster > Ibhulogi > iindaba ze-intanethi > Ukuba sesichengeni kwiSamba evumela nawuphi na umsebenzisi ukuba atshintshe igama eliyimfihlo

Ukuba sesichengeni kwiSamba evumela nawuphi na umsebenzisi ukuba atshintshe igama eliyimfihlo

Ukukhutshwa okuLungileyo kwe-Samba 4.16.4, 4.15.9 kunye ne-4.14.14 kupapashiwe, ukuphelisa ubuthathaka obu-5. Ukukhutshwa kohlaziyo lwephakheji kunikezelo kunokulandelwa kumaphepha: Debian, Ubuntu, RHEL, SUSE, Arch, FreeBSD.

Umngcipheko oyingozi kakhulu (i-CVE-2022-32744) ivumela abasebenzisi besizinda se-Active Directory ukuba batshintshe igama eliyimfihlo lanoma yimuphi umsebenzisi, kubandakanywa ukukwazi ukutshintsha igama eliyimfihlo lomlawuli kunye nokufumana ulawulo olupheleleyo kwi-domain. Ingxaki ibangelwa yi KDC yokwamkela izicelo ze kpasswd ezifihliweyo ngalo naliphi na isitshixo esaziwayo.

Umhlaseli onokufikelela kwi-domain angathumela isicelo sobuqhetseba sokuseta igama eligqithisiweyo elitsha egameni lomnye umsebenzisi, elifihlayo ngesitshixo sakhe, kwaye i-KDC iya kuyiqhuba ngaphandle kokukhangela ukuba isitshixo sihambelana ne-akhawunti. Izitshixo zabalawuli besizinda sokufunda kuphela (i-RODCs) abangenalo igunya lokutshintsha amagama ayimfihlo nawo angasetyenziselwa ukuthumela izicelo zobuxoki. Njengendlela yokusebenza, ungakhubaza inkxaso yeprotocol ye kpasswd ngokongeza ilayini "kpasswd port = 0" kwi smb.conf.

Obunye ubuthathaka:

  • I-CVE-2022-32746 - Abasebenzisi be-Active Directory, ngokuthumela i-LDAP eyenziwe ngokukhethekileyo "yongeza" okanye "ukuguqula" izicelo, inokubangela ukusetyenziswa kwememori yokusetyenziswa emva kwe-free kwinkqubo yeseva. Ingxaki ibangelwa yinto yokuba imodyuli yokuloga yophicotho ifikelela imixholo yomyalezo we-LDAP emva kokuba imodyuli yedatha ikhulule imemori eyabelwe umyalezo. Ukwenza uhlaselo, kufuneka ube namalungelo okongeza okanye ukuguqula iimpawu ezithile ezikhethekileyo, ezifana nomsebenzisiAccountControl.
  • I-CVE-2022-2031 Abasebenzisi be-Active Directory banokudlula izithintelo ezithile kumlawuli wesizinda. I-KDC kunye nenkonzo ye-kpasswd inamandla okucima amatikiti omnye komnye, kuba babelana ngeseti efanayo yezitshixo kunye neeakhawunti. Ngokufanelekileyo, umsebenzisi ocele utshintsho lwephasiwedi unokusebenzisa itikiti elifunyenweyo ukufikelela kwezinye iinkonzo.
  • I-CVE-2022-32745 Abasebenzisi be-Active Directory banokubangela ukuba inkqubo yeseva iphazamiseke ngokuthumela i-LDAP "yongeza" okanye "ukuguqula" izicelo ezifikelela kwidatha engasetyenziswanga.
  • I-CVE-2022-32742-Ulwazi oluvuzayo malunga nemixholo yememori yeseva ngokusetyenziswa kweprotocol ye-SMB1. Umthengi we-SMB1 onofikelelo lokubhala kugcino okwabelwana ngalo angenza iimeko zokubhala iinxalenye zenkqubo yomncedisi imixholo yenkumbulo kwifayile okanye ukuyithumela kumshicileli. Uhlaselo lwenziwa ngokuthumela isicelo "sokubhala" esibonisa uluhlu olungalunganga. Ingxaki ichaphazela kuphela amasebe e-Samba ukuya kwi-4.11 (kwisebe le-4.11, inkxaso ye-SMB1 ikhutshaziwe ngokungagqibekanga).

umthombo: opennet.ru

Yongeza izimvo