=========================================================== == Subject: Kerberos acceptors need easy access to stable == AD identifiers (eg objectSid) == == CVE ID#: CVE-2020-25721 == == Versions: All versions of Samba since Samba 4.0.0 == == Summary: Samba as an AD DC now provides a way for Linux == applications to obtain a reliable SID (and == samAccountName) in issued tickets. =========================================================== =========== Description =========== In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software only Samba and applications which use Samba under the hood like FreeIPA decode this. Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a way that can be parsed using basic pointer handling. From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident that the ticket represents a specific user, not matter subsequent renames. This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due to the gap between time of ticket printing by the KDC and time of ticket acceptance). The CVE is for the protocol deployement weakness as seen in AD, that meant most Linux and Unix applications were for practical reasons only able to rely on the Kerberos "client name" from the ticket. Directories where only full administrators can create users are not the concern, the concern is where that user/computer creation right is delegated in some way, explicitly or via ms-DS-MachineAccountQuota. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. A patch has been written for Heimdal Kerberos to use this feature, and will be published for possible inclusion shortly after Samba's security relase. ================== CVSSv3 calculation ================== The impact of doing authorization with the string Kerberos cname name varies by accepting application. ========== Workaround ========== N/A. The historical behaviour has been accepted for a number of years, it can continue in the short term. ======= Credits ======= Originally reported by Andrew Bartlett. Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================