=========================================================== == Subject: A user in an AD Domain could become root on == domain members == == CVE ID#: CVE-2020-25717 == == Versions: All Samba versions since Samba 3.0 == == Summary: =========================================================== =========== Description =========== Windows Active Directory domains have, but default, a feature to allow users to create computer accounts, controlled by ms-DS-MachineAccountQuota. Likewise, some (presumably trusted) users have the right to create new users or computers in Active Directory Domains, both Samba and Windows based. These features can be quite dangerous, in the wrong hands, as the user who creates such accounts has broad privilege to not just create it and set the password, but to rename it at a later time, without constraint (except that it may not match another samAccountName in AD). When Samba, as an AD Domain member accepts a Kerberos ticket, it must map the information found therein to a local user. This is done via the name in the Kerberos PAC, or the name in the ticket (if there is no PAC). Samba will attempt to find a user "DOMAIN\user" before falling back to just "user". If the DOMAIN\user lookup can be made to fail, then a privilege escallation is possible. The easiest to understand example would be if an attacker had created an account named root (say by renaming a MachineAccountQuota based machine), and asked for a login without a Kerberos PAC. Between obtaining the ticket and presenting it, the attacker renames the user account away. Samba would look up "DOMAIN\root", fail (as this does not exist) and fall back to "root". This patch changes to Samba mean that Samba instead, as with NTLM based logins, works based on the SID in the PAC. The SID which is unique, non-repeating and so can't be confused. Additionally, a new parameter is added "min domain uid" (default 1000), and no matter how we obtain the UID to become (we may eventually read /etc/passwd or similar), by default no UID below this value will be accepted. ============ Beyond Samba ============ Samba is almost unique in the Linux/Unix landscape in that it can read the PAC and make authorisation choices based on the SIDs in the PAC. Administrators and those responsible for the deployment of other applications that use Kerberos, and which can only rely on the "cname" (Client name) in the Kerberos ticket should take care not to map these into the same namespace as system users. NFS-Ganesha has a mode to map AD domain users via Samba's winbindd. Use of this mode is encouraged, and (for all NFS servers in AD domains) the default idmapd.conf "Method = nsswitch" is discouraged. Likewise special care should be taken in the general configuration of "auth_to_local" in a krb5.conf as might be used by other services. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1) ========== Workaround ========== Setting "gensec:require_pac=true" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit. It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password ... (repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app) ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by: * Stefan Metzmacher of SerNet and the Samba Team * Samuel Cabrero of SuSE and the Samba Team * Joseph Sutton of Catalyst and the Samba Team * Alexander Bokovoy of Red Hat and the Samba Team * Ralph Boehme of SerNet and the Samba Team Andrew wishes to give much thanks to NetSPI for the blog "MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings" by Kevin Robertson[1], on which the full horror of MachineAccountQuota became clear. [1] https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================