The Samba-Bugzilla – Attachment 16950 Details for
Bug 14725
[SECURITY] Andrew's Kerberos Concerns (November 9 2021)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2020-25721 advisory (mirror of v2)
CVE-2020-25721-advisory-v2.txt (text/plain), 4.20 KB, created by
Andrew Bartlett
on 2021-11-04 09:46:23 UTC
(
hide
)
Description:
CVE-2020-25721 advisory (mirror of v2)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-04 09:46:23 UTC
Size:
4.20 KB
patch
obsolete
>=========================================================== >== Subject: Kerberos acceptors need easy access to stable >== AD identifiers (eg objectSid) >== >== CVE ID#: CVE-2020-25721 >== >== Versions: All versions of Samba since Samba 4.0.0 >== >== Summary: Samba as an AD DC now provides a way for Linux >== applications to obtain a reliable SID (and >== samAccountName) in issued tickets. >=========================================================== > >=========== >Description >=========== > >In order to avoid issues like CVE-2020-25717 AD Kerberos accepting >services need access to unique, and ideally long-term stable >identifiers of a user to perform authorization. > >The AD PAC provides this, but the most useful information is kept in a >buffer which is NDR encoded, which means that so far in Free Software >only Samba and applications which use Samba components under the hood >like FreeIPA and SSSD decode PAC. > >Recognising that the issues seen in Samba are not unique, Samba now >provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a >way that can be parsed using basic pointer handling. > >From this, future non-Samba based Kerberised applications can easily obtain >the user's SID, in the same packing as objectSID in LDAP, confident >that the ticket represents a specific user, not matter subsequent >renames. > >This will allow such non-Samba applications to avoid confusing one >Kerberos user for another, even if they have the same string name (due >to the gap between time of ticket printing by the KDC and time of >ticket acceptance). > >The protocol deployment weakness, as demonstrated with the >CVE-2020-25717 in Samba when deployed in Active Directory, leaves most >Linux and UNIX applications only to rely on the "client name" from the >Kerberos ticket. When the "client name" as seen by the KDC is under an >attacker control across multiple Kerberos requests, such applications >need an additional information to correlate the client name across >those requests. > >Directories where only full administrators can create users are not >the concern, the concern is where that user/computer creation right is >delegated in some way, explicitly or via ms-DS-MachineAccountQuota. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >A patch has been written for Heimdal Kerberos to use this feature, and >will be published for possible inclusion shortly after Samba's >security relase. > >================== >CVSSv3 calculation >================== > >The impact of doing authorization with the string Kerberos cname name >varies by accepting application. > >========== >Workaround >========== > >It would be prudent to pre-create disabled users in Active Directory >matching on all privileged names not held in Active Directory, eg > > samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password > samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password > ... > (repeat for eg all system users under 1000 in /etc/passwd or special > to any other AD-connected services, eg perhaps "admin" for a web-app) > >If running a Microsoft Windows Active Directory, Setting >ms-DS-MachineAccountQuota to 0, in the Active Directory domain would >be advised, if possible. > >=========================== >Credits and further reading >=========================== > >Originally reported by Andrew Bartlett. > >Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and >the Samba team. > >Andrew wishes to give much thanks to NetSPI for the blog >"MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active >Directory's Oddest Settings" by Kevin Robertson[1], on which the full >horror of MachineAccountQuota became clear. > >[1] https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ > > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16950">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 14725
:
16930
|
16931
|
16932
|
16933
|
16943
|
16944
|
16945
|
16946
|
16947
|
16949
| 16950 |
16973
|
16982
|
16983
|
17431
|
17432