The Samba-Bugzilla – Attachment 16914 Details for
Bug 14564
CVE-2020-25722 [SECURITY] AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
initial advisory (v01)
CVE-2020-25722-advisory-v1.txt (text/plain), 3.00 KB, created by
Andrew Bartlett
on 2021-11-02 09:06:09 UTC
(
hide
)
Description:
initial advisory (v01)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-02 09:06:09 UTC
Size:
3.00 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC did not do suffienct access and >== conformance checking of data stored. >== >== CVE ID#: CVE-2020-25722 >== >== Versions: Samba 4.0.0 and later >== >== Summary: At a number of points in the Samba AD DC >== per-attribute and schema based permission checks >== were not correctly implemented, allowing up >== to total domain compromise. >=========================================================== > >=========== >Description >=========== > >Samba as an Active Directory Domain Controller has to take care to >protect a number of sensitive attributes, and to follow a security >model from Active Directory that relies totally on the intersection of >NT security descriptors and the underlying X.500 Directory Access >Protocol (as then expressed in LDAP) schema constraints for security. > >Some attributes in Samba AD are sensitive, they apply to one object >but protect others. > >Users who can set msDS-AllowedToDelegateTo can become any user in the >domain on the server pointed at by this list. Likewise in a domain >mixed with Microsoft Windows, Samba's lack of protection of sidHistory >would be a similar issue. > >This would be limited to users with the right to create users or >modify them (typically those who created them), however, due to >other flaws, all users are able to create new user objects. > >Finally, Samba did not enforce userPrincipalName and >servicePrincipalName uniqueness, nor did it correctly implement the >"validated SPN" feature allowing machine accounts to safely set their >own SPN. > >Samba has implemented this feature, which avoids a denial of service >(UPNs) or service impersonation (SPNs) between users privileged to add >users to the domian (but see the above point). > >This release adds a feature similar in goal but broader in >implementation than that found in the Windows 2012 Forest Functional >level. Users may therefore notice some additional restrictions not >previously observed. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) > >========== >Workaround >========== > > >======= >Credits >======= > >Originally reported by Andrew Bartlett. > >Patches provided by: > - Andrew Bartlett of Catalyst and the Samba Team. > - Douglas Bagnall of Catalyst and the Samba Team. > - Nadezhda Ivanova of Symas and the Samba Team > - Joseph Sutton of Catalyst and the Samba Team > >Advisory written by Andrew Bartlett of Catalyst > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14564
:
16914
|
16916
|
16977