The Samba-Bugzilla – Attachment 16925 Details for
Bug 14557
CVE-2020-25721 [SECURITY] KDC canonicalisation and mapping rules: challenges and hardening
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory text (v01)
CVE-2020-25721-advisory-v1.txt (text/plain), 3.07 KB, created by
Andrew Bartlett
on 2021-11-03 08:48:59 UTC
(
hide
)
Description:
advisory text (v01)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-03 08:48:59 UTC
Size:
3.07 KB
patch
obsolete
>=========================================================== >== Subject: Kerberos acceptors need easy access to stable >== AD identifiers (eg objectSid) >== >== CVE ID#: CVE-2020-25721 >== >== Versions: All versions of Samba since Samba 4.0.0 >== >== Summary: Samba as an AD DC now provides a way for Linux >== applications to obtain a reliable SID (and >== samAccountName) in issued tickets. >=========================================================== > >=========== >Description >=========== > >In order to avoid issues like CVE-2020-25717 AD Kerberos accepting >services need access to unique, and ideally long-term stable >identifiers of a user to perform authorization. > >The AD PAC provides this, but the most useful information is kept in a >buffer which is NDR encoded, which means that so far in Free Software >only Samba and applications which use Samba under the hood like >FreeIPA decode this. > >Recognising that the issues seen in Samba are not unique, Samba now >provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a >way that can be parsed using basic pointer handling. > >From this, future non-Samba based Kerberised applications can easily obtain >the user's SID, in the same packing as objectSID in LDAP, confident >that the ticket represents a specific user, not matter subsequent >renames. > >This will allow such non-Samba applications to avoid confusing one >Kerberos user for another, even if they have the same string name (due >to the gap between time of ticket printing by the KDC and time of >ticket acceptance). > >The CVE is for the protocol deployement weakness as seen in AD, that >meant most Linux and Unix applications were for practical reasons only >able to rely on the Kerberos "client name" from the ticket. > >Directories where only full administrators can create users are not >the concern, the concern is where that user/computer creation right is >delegated in some way, explicitly or via ms-DS-MachineAccountQuota. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >A patch has been written for Heimdal Kerberos to use this feature, and >will be published for possible inclusion shortly after Samba's >security relase. > >================== >CVSSv3 calculation >================== > >The impact of doing authorization with the string Kerberos cname name >varies by accepting application. > >========== >Workaround >========== > >N/A. > >The historical behaviour has been accepted for a number of years, it >can continue in the short term. > >======= >Credits >======= > >Originally reported by Andrew Bartlett. > >Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and >the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16925">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 14557
:
16339
|
16340
|
16341
|
16342
|
16343
|
16351
|
16925
|
16940