Iipatches zeSamba 4.15.2, 4.14.10, kunye ne-4.13.14 zipapashwe, zijongana nobuthathaka obusibhozo, uninzi lwazo olunokukhokelela ekungxengweni ngokupheleleyo kwedomeyini ye-Active Directory. Okuphawulekayo kukuba, enye yeengxaki ilungisiwe ukusukela ngo-2016, kwaye ezintlanu ukusukela ngo-2020. Nangona kunjalo, ipatch enye ithintele i-winbindd ekusebenzeni xa useto lwe-"vumela iidomeyini ezithembekileyo = hayi" luvuliwe (abaphuhlisi baceba ukupapasha ngokukhawuleza olunye uhlaziyo olunokulungiswa). Ukukhutshwa kohlaziyo lweephakheji kulwabiwo kunokulandelwa kula maphepha alandelayo: Debian, Ubuntu, RHEL, SUSE, Fedora, Arch, FreeBSD.
Ubuthathaka obuzinzileyo:
- I-CVE-2020-25717 - Ngenxa yesiphene kwingqiqo yokudibanisa abasebenzisi bedomeyini kubasebenzisi benkqubo yendawo, umsebenzisi wedomeyini ye-Active Directory onokukwazi ukwenza iiakhawunti ezintsha kwinkqubo yakhe, elawulwa nge-ms-DS-MachineAccountQuota, unokufumana ukufikelela kweengcambu kwezinye iinkqubo ezikwidomeyini. Isizinda.
- I-CVE-2021-3738 - Ukufikelela kwindawo esele ikhululiwe yememori (Sebenzisa emva kwesimahla) ekuphunyezweni kweseva ye-Samba AD DC RPC (dsdb), enokuthi ikhokelele ekunyukeni kwamalungelo xa kusenziwa uqhagamshelo.
- I-CVE-2016-2124 - Uqhagamshelwano lwabathengi olusekwe kusetyenziswa i-SMB1 protocol inokutshintshwa ukuba idlulise iiparameters zokuqinisekisa kwisicatshulwa esicacileyo okanye nge-NTLM (umzekelo, ukugqiba iziqinisekiso xa wenza uhlaselo lwe-MITM), nokuba umsebenzisi okanye isicelo sinesiqinisekiso esisinyanzelo nge-Kerberos. .
- I-CVE-2020-25722 - Umlawuli wesizinda se-Active Directory esekwe kwi-Samba wayengenzi iitshekhi ezifanelekileyo zokufikelela kwidatha egciniweyo, evumela nawuphi na umsebenzisi ukuba adlulele kwiitshekhi zokugunyazisa kwaye athobe ngokupheleleyo i-domain.
- I-CVE-2020-25718 - Amathikithi e-Kerberos akhutshwe yi-RODCs (abalawuli besizinda sokufunda kuphela) babengabodwa ngokuchanekileyo kwi-Samba-based Active Directory domain controller, engasetyenziselwa ukufumana amathikithi omlawuli kwi-RODC ngaphandle kwemvume yokwenza njalo.
- I-CVE-2020-25719 - Umlawuli wesizinda se-Active Directory esekwe kwi-Samba akasoloko ethathela ingqalelo imimandla ye-SID kunye ne-PAC kumatikiti e-Kerberos ekudibaneni (xa kumiselwa "gensec:require_pac = true", kuphela igama eliye lakhangelwa, kwaye iPAC yabanjwa. ayithathelwa ngqalelo), eyavumela umsebenzisi , onelungelo lokudala ii-akhawunti kwinkqubo yendawo, azenze omnye umsebenzisi kwi-domain, kuquka abanelungelo.
- I-CVE-2020-25721 - Abasebenzisi abaqinisekisiweyo kusetyenziswa i-Kerberos bebengasoloko benikwa izichongi ezizodwa ze-Active Directory (objectSid), ezinokukhokelela ekugqityweni komsebenzisi omnye nomnye.
- I-CVE-2021-23192 - Ngexesha lokuhlaselwa kwe-MITM, kwakunokwenzeka ukuphanga iziqwenga kwizicelo ezinkulu ze-DCE / RPC eziye zahlulwa zibe ngamacandelo amaninzi.
umthombo: opennet.ru
