===========================================================
== Subject:     Samba AD DC did not always rely on the SID
==              and PAC in Kerberos tickets.
==
== CVE ID#:     CVE-2020-25719
==
== Versions:    Samba 4.0.0 and later
==
== Summary:     The Samba AD DC, could become confused about
==              the user a ticket represents if it did not
==              strictly require a Kerberos PAC and always use
==              the SIDs found within.
===========================================================

===========
Description
===========

Samba as an Active Directory Domain Controller is based on Kerberos,
which is a name-based authorization protocol.

However Microsoft Windows and Active Direcory is SID-based, and at the
meeting of these two points it is possible to confuse a server into
acting as one user when holding a ticket for another.

A simple example is on Samba's LDAP server, which would, unless
"gensec:require_pac = true" was set, permit a fall back to using the
name in the ticket alone.  

Users (delegated administrators) with the right to create other users
or computers can then abuse the race (between time of ticket issue and
time of presentation), to become a different user, if they name the
accounts carefully.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba  4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

This CVSSv3 calculation is assuming the other Samba issues are
addressed, and user/computer creation is an at least partially
privileged action.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.8)

==========
Workaround
==========


=======
Credits
=======

Originally reported by Andrew Bartlett.

Patches provided by:
 - Andrew Bartlett of Catalyst and the Samba Team.
 - Joseph Sutton of Catalyst and the Samba Team
 - Stefan Metzmacher of SerNet and the Samba Team

Advisory written by Andrew Bartlett of Catalyst

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================