=========================================================== == Subject: Samba AD DC did not do suffienct access and == conformance checking of data stored. == == CVE ID#: CVE-2020-25722 == == Versions: Samba 4.0.0 and later == == Summary: At a number of points in the Samba AD DC == per-attribute and schema based permission checks == were not correctly implemented, allowing up == to total domain compromise. =========================================================== =========== Description =========== Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP) schema constraints for security. Some attributes in Samba AD are sensitive, they apply to one object but protect others. Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server pointed at by this list. Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of sidHistory would be a similar issue. This would be limited to users with the right to create users or modify them (typically those who created them), however, due to other flaws, all users are able to create new user objects. Finally, Samba did not enforce userPrincipalName and servicePrincipalName uniqueness, nor did it correctly implement the "validated SPN" feature allowing machine accounts to safely set their own SPN. Samba has implemented this feature, which avoids a denial of service (UPNs) or service impersonation (SPNs) between users privileged to add users to the domian (but see the above point). This release adds a feature similar in goal but broader in implementation than that found in the Windows 2012 Forest Functional level. Users may therefore notice some additional restrictions not previously observed. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) ========== Workaround ========== ======= Credits ======= Originally reported by Andrew Bartlett. Patches provided by: - Andrew Bartlett of Catalyst and the Samba Team. - Douglas Bagnall of Catalyst and the Samba Team. - Nadezhda Ivanova of Symas and the Samba Team - Joseph Sutton of Catalyst and the Samba Team Advisory written by Andrew Bartlett of Catalyst ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================