The Samba-Bugzilla – Attachment 16969 Details for
Bug 14556
CVE-2020-25717 [SECURITY] A user on the domain can become root on domain members
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2020-25717-advisory-v5.txt
CVE-2020-25717-advisory-v5.txt (text/plain), 6.76 KB, created by
Stefan Metzmacher
on 2021-11-08 21:45:56 UTC
(
hide
)
Description:
CVE-2020-25717-advisory-v5.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-11-08 21:45:56 UTC
Size:
6.76 KB
patch
obsolete
>=========================================================== >== Subject: A user in an AD Domain could become root on >== domain members >== >== CVE ID#: CVE-2020-25717 >== >== Versions: All Samba versions since Samba 3.0 >== >== Summary: Samba may map domain users to local users >== in an undesired way. >=========================================================== > >=========== >Description >=========== > >Windows Active Directory (AD) domains have by default a feature to >allow users to create computer accounts, controlled by >ms-DS-MachineAccountQuota. > >In addition some (presumably trusted) users have the right to create >new users or computers in both Samba and Windows Active Directory >Domains. > >These features can be quite dangerous in the wrong hands, as the user >who creates such accounts has broad privileges to not just create them >and set their passwords, but to rename them at a later time with the >only contraint being they may not match an existing samAccountName in >AD. > >When Samba as an AD Domain member accepts a Kerberos ticket, it must >map the information found therein to a local UNIX user-id (uid). This >is currently done via the account name in the Active Directory >generated Kerberos Privileged Attribute Certificate (PAC), or the >account name in the ticket (if there is no PAC). > >For example, Samba will attempt to find a user "DOMAIN\user" before >falling back to trying to find the user "user". > >If the DOMAIN\user lookup can be made to fail, then a privilege >escalation is possible. > >The easiest example to illustrate this is if an attacker creates an >account named root (by renaming a MachineAccountQuota based machine >account), and asks for a login without a Kerberos PAC. Between >obtaining the ticket and presenting it to a server, the attacker >renames the user account to a different name. Samba attempts to look >up "DOMAIN\root", which fails (as this no longer exists) and then >falls back to looking up user "root", which will map to the privileged >UNIX uid of 0. > >This patch changes Samba to require a PAC (in all scenarios related to >active directory domains) and use the SID and account name >values of the PAC, which means the combination represents the same point >in time. The processing is now similar to as with NTLM based logins. >The SID is unique and non-repeating and so can't be confused with another user. > >Additionally, a new parameter has been added "min domain uid" (default >1000), and no matter how we obtain the UNIX uid to use in the process >token (we may eventually read /etc/passwd or similar), by default no >UNIX uid below this value will be accepted. > >The patch also removes the fallback from 'DOMAIN\user' to just 'user', >as it dangerous and not needed when nss_winbind is used (even when >'winbind use default domain = yes' is used). > >However there setups which are joined to an active directory domain >just for authentication, but the authorization is handled without >nss_winbind by mapping the domain account to a local user provided >by nss_file, nss_ldap or something similar. >NOTE: These setups won't work anymore without explicit mapping the users! > >Administrators need to use the 'username map' or 'username map script' >option in order to map domain users explicitly to local users, e.g. > > user = DOMAIN\user > >Please consult the 'man 5 smb.conf' for further details on >'username map' or 'username map script'. Also note that '\' refers >to the default value of the 'winbind separator' option. > > >============ >Beyond Samba >============ > >Samba is almost unique in the Linux/Unix landscape in that it can read >the PAC and make authorisation choices based on the SIDs in the PAC. > >Administrators and those responsible for the deployment of other >applications that use Kerberos, and which can only rely on the "cname" >(Client name) in the Kerberos ticket should take care not to map these >into the same namespace as system users. > >NFS-Ganesha has a mode to map AD domain users via Samba's winbindd. >Use of this mode is encouraged, and (for all NFS servers in AD >domains) the default idmapd.conf "Method = nsswitch" is discouraged. > >Likewise special care should be taken in the general configuration of >"auth_to_local" in a krb5.conf as might be used by other services. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1) > >========== >Workaround >========== > >Setting "gensec:require_pac=true" in the smb.conf makes the >DOMAIN\user lookup succeed, due to a cache prime in winbind, provided >nss_winbind is in use and no error paths are hit. > >It would be prudent to pre-create disabled users in Active Directory >matching on all privileged names not held in Active Directory, eg > > samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password > samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password > ... > (repeat for eg all system users under 1000 in /etc/passwd or special > to any other AD-connected services, eg perhaps "admin" for a web-app) > >Setting ms-DS-MachineAccountQuota to 0, in the Active Directory domain >is also advised, if possible. > >The following settings might be additional mitigations >(but they have not been explicitly verified yet): > >1. The use of the 'invalid users' option, note this > needs to be specified in the [global] section, > as well as every share with an existing 'invalid users' option, e.g.: > > invalid users = root, ubuntu > >2. The usage of the "obey pam restrictions = yes" together with > something like 'account required pam_succeed_if.so quiet uid >= 1000' in > the pam configuration for "samba", please consult 'man 8 pam_succeed_if'. > >======= >Credits >======= > >Originally reported by Andrew Bartlett of Catalyst and the Samba Team. > >Patches provided by: > * Stefan Metzmacher of SerNet and the Samba Team > * Samuel Cabrero of SuSE and the Samba Team > * Joseph Sutton of Catalyst and the Samba Team > * Alexander Bokovoy of Red Hat and the Samba Team > * Ralph Boehme of SerNet and the Samba Team > >Andrew wishes to give much thanks to NetSPI for the blog >"MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active >Directory's Oddest Settings" by Kevin Robertson[1], on which the full >horror of MachineAccountQuota became clear. > >[1] https://www.netspi.com/blog/technical/network-penetration-testing/machineaccountquota-is-useful-sometimes/ > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14556
:
16845
|
16924
|
16926
|
16934
|
16952
|
16953
|
16954
|
16955
|
16956
|
16958
|
16959
|
16963
|
16969
|
16970
|
16978
|
17449