Bugzilla – Bug 1192247
VUL-0: CVE-2020-25719: samba: AD DC Username based races when no PAC is given
Last modified: 2022-02-10 17:18:41 UTC
is public https://www.samba.org/samba/security/CVE-2020-25719.html CVE-2020-25719.html: =========================================================== == Subject: Samba AD DC did not always rely on the SID == and PAC in Kerberos tickets. == == CVE ID#: CVE-2020-25719 == == Versions: Samba 4.0.0 and later == == Summary: The Samba AD DC, could become confused about == the user a ticket represents if it did not == strictly require a Kerberos PAC and always use == the SIDs found within. The result could include total == domain compromise. =========================================================== =========== Description =========== Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication. These names are often then used for authorization. However Microsoft Windows and Active Direcory is SID-based. SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally unique and survive name changes. At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another. A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer. In Active Directory, it may or may not carry a PAC, holding the user's SIDs. A simple example of the problem is on Samba's LDAP server, which would, unless "gensec:require_pac = true" was set, permit a fall back to using the name in the Kerberos ticket alone. (All Samba AD services fall to the same issue in one way or another, LDAP is just a good example). Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different account, including a highly privileged account. This could allow total domain compromise. ================= Behaviour changes ================= Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ and require that tickets presented back to the DC have a PAC, both in the KDC and elsewhere. Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg with the --no-request-pac option to MIT kerberos kinit) will be denied after the upgrade, even if they are otherwise still valid. This also means that the Kerberos TCP transport is likely to be required to connect to the Samba AD DC, as a PAC is unlikely to fit in a UDP packet. PAC-free tickets are still supported for target services (eg NFS), via an flag within the PAC preventing it being put into the final ticket. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== This CVSSv3 calculation is assuming the other Samba issues are addressed, and user/computer creation is an at least partially privileged action. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) ========== Workaround ========== ======= Credits ======= Originally reported by Andrew Bartlett. Patches provided by: - Andrew Bartlett of Catalyst and the Samba Team. - Joseph Sutton of Catalyst and the Samba Team - Andreas Schneider of Red Hat and the Samba Team - Stefan Metzmacher of SerNet and the Samba Team Advisory written by Andrew Bartlett of Catalyst Catalyst would like to particularly thank Red Hat and SerNet for their contribution to fixing this issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
openSUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505 CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738 JIRA References: Sources used: openSUSE Leap 15.3 (src): ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available. Category: security (important) Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505 CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738 JIRA References: Sources used: SUSE MicroOS 5.1 (src): ldb-2.2.2-3.3.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): samba-4.13.13+git.528.140935f8d6a-3.12.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1 SUSE Linux Enterprise High Availability 15-SP3 (src): samba-4.13.13+git.528.140935f8d6a-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
done
SUSE-SU-2022:0361-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available. Category: security (critical) Bug References: 1014440,1188727,1189017,1189875,1192214,1192215,1192246,1192247,1192283,1192284,1192505,1192849,1194859 CVE References: CVE-2016-2124,CVE-2020-17049,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-20254,CVE-2021-23192,CVE-2021-3738,CVE-2021-44142 JIRA References: SLE-18456 Sources used: SUSE Enterprise Storage 7 (src): ldb-2.2.2-4.6.1, samba-4.13.13+git.545.5897c2d94f3-3.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.