=========================================================== == Subject: Samba AD DC did not always rely on the SID == and PAC in Kerberos tickets. == == CVE ID#: CVE-2020-25719 == == Versions: Samba 4.0.0 and later == == Summary: The Samba AD DC, could become confused about == the user a ticket represents if it did not == strictly require a Kerberos PAC and always use == the SIDs found within. The result could include total == domain compromise. =========================================================== =========== Description =========== Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication. These names are often then used for authorization. However Microsoft Windows and Active Direcory is SID-based. SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally unique and survive name changes. At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another. A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer. In Active Directory, it may or may not carry a PAC, holding the user's SIDs. A simple example of the problem is on Samba's LDAP server, which would, unless "gensec:require_pac = true" was set, permit a fall back to using the name in the Kerberos ticket alone. (All Samba AD services fall to the same issue in one way or another, LDAP is just a good example). Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different account, including a highly privileged account. This could allow total domain compromise. ================= Behaviour changes ================= Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ and require that tickets presented back to the DC have a PAC, both in the KDC and elsewhere. Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg with the --no-request-pac option to MIT kerberos kinit) will be denied after the upgrade, even if they are otherwise still valid. This also means that the Kerberos TCP transport is likely to be required to connect to the Samba AD DC, as a PAC is unlikely to fit in a UDP packet. PAC-free tickets are still supported for target services (eg NFS), via an flag within the PAC preventing it being put into the final ticket. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== This CVSSv3 calculation is assuming the other Samba issues are addressed, and user/computer creation is an at least partially privileged action. CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) ========== Workaround ========== ======= Credits ======= Originally reported by Andrew Bartlett. Patches provided by: - Andrew Bartlett of Catalyst and the Samba Team. - Joseph Sutton of Catalyst and the Samba Team - Andreas Schneider of Red Hat and the Samba Team - Stefan Metzmacher of SerNet and the Samba Team Advisory written by Andrew Bartlett of Catalyst Catalyst would like to particularly thank Red Hat and SerNet for their contribution to fixing this issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================