Bug 1192505 - (CVE-2020-25721) VUL-0: CVE-2020-25721: samba: Kerberos acceptors need easy access to stableAD identifiers (eg objectSid)
(CVE-2020-25721)
VUL-0: CVE-2020-25721: samba: Kerberos acceptors need easy access to stableAD...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/314528/
CVSSv3.1:SUSE:CVE-2020-25721:7.6:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-09 10:42 UTC by Robert Frohl
Modified: 2022-08-03 15:38 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2021-11-10 07:59:58 UTC
is public

https://www.samba.org/samba/security/CVE-2020-25721.html


CVE-2020-25721.html:

=============================================================
== Subject:     Kerberos acceptors need easy access to stable
==              AD identifiers (eg objectSid)
==
== CVE ID#:     CVE-2020-25721
==
== Versions:    All versions of Samba since Samba 4.0.0
==
== Summary:     Samba as an AD DC now provides a way for Linux
==              applications to obtain a reliable SID (and
==              samAccountName) in issued tickets.
=============================================================

===========
Description
===========

In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
services need access to unique, and ideally long-term stable
identifiers of a user to perform authorization.

The AD PAC provides this, but the most useful information is kept in a
buffer which is NDR encoded, which means that so far in Free Software
only Samba and applications which use Samba components under the hood
like FreeIPA and SSSD decode PAC.

Recognising that the issues seen in Samba are not unique, Samba now
provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
way that can be parsed using basic pointer handling.

From this, future non-Samba based Kerberised applications can easily obtain
the user's SID, in the same packing as objectSID in LDAP, confident
that the ticket represents a specific user, not matter subsequent
renames.

This will allow such non-Samba applications to avoid confusing one
Kerberos user for another, even if they have the same string name (due
to the gap between time of ticket printing by the KDC and time of
ticket acceptance).

The protocol deployment weakness, as demonstrated with the
CVE-2020-25717 in Samba when deployed in Active Directory, leaves most
Linux and UNIX applications only to rely on the "client name" from the
Kerberos ticket. When the "client name" as seen by the KDC is under an
attacker control across multiple Kerberos requests, such applications
need an additional information to correlate the client name across
those requests.

Directories where only full administrators can create users are not
the concern, the concern is where that user/computer creation right is
delegated in some way, explicitly or via ms-DS-MachineAccountQuota.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

A patch has been written for Heimdal Kerberos to use this feature, and
will be published for possible inclusion shortly after Samba's
security relase.

==================
CVSSv3 calculation
==================

The impact of doing authorization with the string Kerberos cname name
varies by accepting application.

==========
Workaround
==========

It would be prudent to pre-create disabled users in Active Directory
matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 ...
 (repeat for eg all system users under 1000 in /etc/passwd or special
 to any other AD-connected services, eg perhaps "admin" for a web-app)

If running a Microsoft Windows Active Directory, Setting
ms-DS-MachineAccountQuota to 0, in the Active Directory domain would
be advised, if possible.

===========================
Credits and further reading
===========================

Originally reported by Andrew Bartlett.

Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and
the Samba team.

Andrew wishes to give much thanks to NetSPI for the blog
"MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active
Directory's Oddest Settings" by Kevin Robertson[1], on which the full
horror of MachineAccountQuota became clear.

[1] https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 4 Swamp Workflow Management 2021-11-10 20:19:05 UTC
openSUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
Comment 5 Swamp Workflow Management 2021-11-10 20:33:06 UTC
SUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    ldb-2.2.2-3.3.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-02-10 17:18:55 UTC
SUSE-SU-2022:0361-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (critical)
Bug References: 1014440,1188727,1189017,1189875,1192214,1192215,1192246,1192247,1192283,1192284,1192505,1192849,1194859
CVE References: CVE-2016-2124,CVE-2020-17049,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-20254,CVE-2021-23192,CVE-2021-3738,CVE-2021-44142
JIRA References: SLE-18456
Sources used:
SUSE Enterprise Storage 7 (src):    ldb-2.2.2-4.6.1, samba-4.13.13+git.545.5897c2d94f3-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Robert Frohl 2022-08-02 12:47:04 UTC
we are still tracking these as affected:

- SUSE:SLE-12-SP3:Update/samba
- SUSE:SLE-15:Update/samba
- SUSE:SLE-15-SP1:Update/samba
- SUSE:SLE-15-SP2:Update/samba

would it be possible to get submissions there too?
Comment 10 James McDonough 2022-08-03 15:38:42 UTC
(In reply to Robert Frohl from comment #9)
> we are still tracking these as affected:
> 
> - SUSE:SLE-12-SP3:Update/samba
> - SUSE:SLE-15:Update/samba
There is no AD DC, so these two are not affected
> - SUSE:SLE-15-SP1:Update/samba
> - SUSE:SLE-15-SP2:Update/samba
We don't plan on backporting to LTSS because this only affects the AD DC tech preview
> 
> would it be possible to get submissions there too?