The Samba-Bugzilla – Attachment 16922 Details for
Bug 14561
CVE-2020-25719 [SECURITY] AD DC Username based races when no PAC is given
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
initial advisory (v02)
CVE-2020-25719-advisory-v2.txt (text/plain), 2.94 KB, created by
Andrew Bartlett
on 2021-11-02 19:55:40 UTC
(
hide
)
Description:
initial advisory (v02)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-02 19:55:40 UTC
Size:
2.94 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC did not always rely on the SID >== and PAC in Kerberos tickets. >== >== CVE ID#: CVE-2020-25719 >== >== Versions: Samba 4.0.0 and later >== >== Summary: The Samba AD DC, could become confused about >== the user a ticket represents if it did not >== strictly require a Kerberos PAC and always use >== the SIDs found within. >=========================================================== > >=========== >Description >=========== > >Samba as an Active Directory Domain Controller is based on Kerberos, >which provides name-based authentication. These names are often then >used for authorization. > >However Microsoft Windows and Active Direcory is SID-based. SIDs in >Windows, similar to UIDs in Linux/Unix (if managed well) are globally >unique and survive name changes. At the meeting of these two >authorization schemes it is possible to confuse a server into acting >as one user when holding a ticket for another. > >A Kerberos ticket, once issued, may be valid for some time, often 10 >hours but potentially longer. In Active Directory, it may or may not >carry a PAC, holding the user's SIDs. > >A simple example of the problem is on Samba's LDAP server, which >would, unless "gensec:require_pac = true" was set, permit a fall back >to using the name in the Kerberos ticket alone. (All Samba AD >services fall to the same issue in one way or another, LDAP is just a >good example). > >Delegated administrators with the right to create other user or >machine accounts can abuse the race between the time of ticket issue >and the time of presentation (back to the AD DC) to impersonate a >different user. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >This CVSSv3 calculation is assuming the other Samba issues are >addressed, and user/computer creation is an at least partially >privileged action. > >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) > >========== >Workaround >========== > > >======= >Credits >======= > >Originally reported by Andrew Bartlett. > >Patches provided by: > - Andrew Bartlett of Catalyst and the Samba Team. > - Joseph Sutton of Catalyst and the Samba Team > - Andreas Schneider of Red Hat and the Samba Team > - Stefan Metzmacher of SerNet and the Samba Team > >Advisory written by Andrew Bartlett of Catalyst > >Catalyst would like to particularly thank Red Hat and SerNet for their >contribution to fixing this issue. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16922">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 14561
:
16918
|
16922
|
16979
|
16980