Bug 1192247 (CVE-2020-25719)

Summary: VUL-0: CVE-2020-25719: samba: AD DC Username based races when no PAC is given
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Novell Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: chris.randles
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/314010/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-25719:7.2:(AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 4 Marcus Meissner 2021-11-10 07:58:27 UTC 
is public

https://www.samba.org/samba/security/CVE-2020-25719.html


CVE-2020-25719.html:

===========================================================
== Subject:     Samba AD DC did not always rely on the SID
==              and PAC in Kerberos tickets.
==
== CVE ID#:     CVE-2020-25719
==
== Versions:    Samba 4.0.0 and later
==
== Summary:     The Samba AD DC, could become confused about
==              the user a ticket represents if it did not
==              strictly require a Kerberos PAC and always use
==              the SIDs found within.  The result could include total
==              domain compromise.
===========================================================

===========
Description
===========

Samba as an Active Directory Domain Controller is based on Kerberos,
which provides name-based authentication.  These names are often then
used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in
Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two
authorization schemes it is possible to confuse a server into acting
as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10
hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs.

A simple example of the problem is on Samba's LDAP server, which
would, unless "gensec:require_pac = true" was set, permit a fall back
to using the name in the Kerberos ticket alone.  (All Samba AD
services fall to the same issue in one way or another, LDAP is just a
good example).

Delegated administrators with the right to create other user or
machine accounts can abuse the race between the time of ticket issue
and the time of presentation (back to the AD DC) to impersonate a
different account, including a highly privileged account.

This could allow total domain compromise.

=================
Behaviour changes
=================

Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ
and require that tickets presented back to the DC have a PAC, both in
the KDC and elsewhere.

Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg
with the --no-request-pac option to MIT kerberos kinit) will be denied
after the upgrade, even if they are otherwise still valid.

This also means that the Kerberos TCP transport is likely to be
required to connect to the Samba AD DC, as a PAC is unlikely to fit in
a UDP packet.  PAC-free tickets are still supported for target
services (eg NFS), via an flag within the PAC preventing it being
put into the final ticket.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba  4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

This CVSSv3 calculation is assuming the other Samba issues are
addressed, and user/computer creation is an at least partially
privileged action.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)

==========
Workaround
==========


=======
Credits
=======

Originally reported by Andrew Bartlett.

Patches provided by:
 - Andrew Bartlett of Catalyst and the Samba Team.
 - Joseph Sutton of Catalyst and the Samba Team
 - Andreas Schneider of Red Hat and the Samba Team
 - Stefan Metzmacher of SerNet and the Samba Team

Advisory written by Andrew Bartlett of Catalyst

Catalyst would like to particularly thank Red Hat and SerNet for their
contribution to fixing this issue.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 5 Swamp Workflow Management 2021-11-10 20:18:43 UTC 
openSUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
Comment 6 Swamp Workflow Management 2021-11-10 20:32:44 UTC 
SUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    ldb-2.2.2-3.3.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Marcus Meissner 2022-02-05 10:02:44 UTC 
done
Comment 12 Swamp Workflow Management 2022-02-10 17:18:41 UTC 
SUSE-SU-2022:0361-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (critical)
Bug References: 1014440,1188727,1189017,1189875,1192214,1192215,1192246,1192247,1192283,1192284,1192505,1192849,1194859
CVE References: CVE-2016-2124,CVE-2020-17049,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-20254,CVE-2021-23192,CVE-2021-3738,CVE-2021-44142
JIRA References: SLE-18456
Sources used:
SUSE Enterprise Storage 7 (src):    ldb-2.2.2-4.6.1, samba-4.13.13+git.545.5897c2d94f3-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.