The Samba-Bugzilla – Attachment 16918 Details for
Bug 14561
CVE-2020-25719 [SECURITY] AD DC Username based races when no PAC is given
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
initial advisory (v01)
CVE-2020-25718-advisory-v1.txt (text/plain), 2.34 KB, created by
Andrew Bartlett
on 2021-11-02 10:25:16 UTC
(
hide
)
Description:
initial advisory (v01)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-02 10:25:16 UTC
Size:
2.34 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC did not always rely on the SID >== and PAC in Kerberos tickets. >== >== CVE ID#: CVE-2020-25719 >== >== Versions: Samba 4.0.0 and later >== >== Summary: The Samba AD DC, could become confused about >== the user a ticket represents if it did not >== strictly require a Kerberos PAC and always use >== the SIDs found within. >=========================================================== > >=========== >Description >=========== > >Samba as an Active Directory Domain Controller is based on Kerberos, >which is a name-based authorization protocol. > >However Microsoft Windows and Active Direcory is SID-based, and at the >meeting of these two points it is possible to confuse a server into >acting as one user when holding a ticket for another. > >A simple example is on Samba's LDAP server, which would, unless >"gensec:require_pac = true" was set, permit a fall back to using the >name in the ticket alone. > >Users (delegated administrators) with the right to create other users >or computers can then abuse the race (between time of ticket issue and >time of presentation), to become a different user, if they name the >accounts carefully. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >This CVSSv3 calculation is assuming the other Samba issues are >addressed, and user/computer creation is an at least partially >privileged action. > >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.8) > >========== >Workaround >========== > > >======= >Credits >======= > >Originally reported by Andrew Bartlett. > >Patches provided by: > - Andrew Bartlett of Catalyst and the Samba Team. > - Joseph Sutton of Catalyst and the Samba Team > - Stefan Metzmacher of SerNet and the Samba Team > >Advisory written by Andrew Bartlett of Catalyst > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16918">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14561
:
16918
|
16922
|
16979
|
16980