14561 – (CVE-2020-25719) CVE-2020-25719 [SECURITY] AD DC Username based races when no PAC is given

Bug 14561 (CVE-2020-25719) - CVE-2020-25719 [SECURITY] AD DC Username based races when no PAC is given

Summary: CVE-2020-25719 [SECURITY] AD DC Username based races when no PAC is given

Status:	RESOLVED FIXED

Alias:	CVE-2020-25719

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.13.1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	14686 14739 14873
Blocks:	14725
	Show dependency tree / graph

Reported:	2020-11-02 03:57 UTC by Andrew Bartlett
Modified:	2021-11-22 09:36 UTC (History)
CC List:	9 users (show)

See Also:	CVE-2020-25721 14799 14834

Attachments
initial advisory (v01) (2.34 KB, text/plain) 2021-11-02 10:25 UTC, Andrew Bartlett	no flags	Details
initial advisory (v02) (2.94 KB, text/plain) 2021-11-02 19:55 UTC, Andrew Bartlett	asn: review+ metze: review+	Details
advisory text (v03) (3.09 KB, text/plain) 2021-11-09 08:22 UTC, Andrew Bartlett	no flags	Details
advisory text (v04) (3.78 KB, text/plain) 2021-11-09 08:31 UTC, Andrew Bartlett	metze: review+	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Stefan Metzmacher 2020-11-02 13:12:07 UTC

I think I tested a kerberos ticket without a pac against a windows smb server
and it seems to use a anonymous token, but it was just a very brief test and
I don't remember all details anymore.

Comment 2 Andrew Bartlett 2020-11-02 22:46:28 UTC

Thanks metze, I confirm the same on Windows 2019:

samba@9c864a0aad0c:~/src$ bin/samba4kinit --request-pac=0 administrator@WIN19.XXX
administrator@WIN19.XXX's Password: 
samba@9c864a0aad0c:~/src$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator@WIN19.XXX

Valid starting       Expires              Service principal
02/11/2020 22:41:47  02/12/2020 08:41:47  krbtgt/WIN19.XXX@WIN19.XXX

samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b ""

# record 1
dn: 
tokenGroups: S-1-5-7

# returned 1 records
# 1 entries
# 0 referrals

Comment 3 Andrew Bartlett 2020-11-03 00:35:25 UTC

Sorry, that was just an anonymous session.

samba@9c864a0aad0c:~/src$ bin/samba4kinit --request-pac=0 administrator@WIN19.XXX 
administrator@WIN19.XXX's Password: 
samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b "" -k yes --krb5-ccache=/tmp/krb5cc_1000 
# record 1
dn: 
tokenGroups: S-1-5-7
tokenGroups: S-1-5-2
tokenGroups: S-1-5-15

# returned 1 records
# 1 entries
# 0 referrals
samba@9c864a0aad0c:~/src$ bin/samba4kinit administrator@WIN19.XXX 
administrator@WIN19.XXX's Password: 
samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b "" -k yes --krb5-ccache=/tmp/krb5cc_1000 
# record 1
dn: 
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-500
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-513
tokenGroups: S-1-1-0
tokenGroups: S-1-5-32-544
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-512
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-520
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-519
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-518
tokenGroups: S-1-18-1
tokenGroups: S-1-5-21-4288279459-746639539-3756042918-572

# returned 1 records
# 1 entries
# 0 referrals

Comment 4 Andrew Bartlett 2020-11-03 22:12:16 UTC

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (6.8)

In the worst case a user with privileges to create new accounts (and therefore set the userPrincipalName freely) could, knowing a new administrative account is to be created obtain a ticket in the name of the new administrative account (via the attacker's account's UPN).

Otherwise (and perhaps more realistic) if the new account is just another user account:

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (3.5)

Comment 5 Andrew Bartlett 2020-11-11 03:44:49 UTC

I've reproduced this against Samba.  However it requires that there has been a change to the username -> record lookup in the meantime, otherwise access is still as the attacker, not administrator.

abartlet@addc:~/samba$ bin/samba-tool user add mallory -s st/ad_dc/etc/smb.conf 
New Password: 
Retype Password: 

abartlet@addc:~/samba$ cat make-admin.ldif
dn: CN=mallory,CN=Users,DC=addom,DC=samba,DC=example,DC=com
changetype: modify
replace: userPrincipalName
userPrincipalName: administrator@addom.samba.example.comabartlet


bin/ldbmodify -H st/ad_dc/private/sam.ldb make-admin.ldif 
Modified 1 records successfully
abartlet@addc:~/samba$ bin/samba4kinit --request-pac=0 administrator 
administrator@ADDOM.SAMBA.EXAMPLE.COM's Password: 

abartlet@addc:~/samba$ bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups
# record 1
dn: 
tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-1112
tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-513

(remove UPN on cn=mallory)
abartlet@addc:~/samba$ bin/ldbedit -H st/ad_dc/private/sam.ldb cn=mallory
# 0 adds  1 modifies  0 deletes

 bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups
# record 1
dn: 
tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-500
tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-513

Comment 6 Andrew Bartlett 2020-11-12 23:56:36 UTC

Proposed test:

Confirm that an kerberos logon to the LDAP server without a PAC give anonymous. 

Also confirm the username based race:
 - as above
and
 - a simpler one with two unprivileged users: rename A -> C, B -> A.  

Confirm the 'right' SID is still returned in the tokenGroups, with a PAC.

Comment 7 David Mulder 2021-01-06 14:34:17 UTC

(In reply to Andrew Bartlett from comment #5)

I can't reproduce this using your instructions in comment #5:

> bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups
Failed to bind - LDAP error 1 LDAP_OPERATIONS_ERROR -  <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <>
Failed to connect to 'ldap://addc' with backend 'ldap': LDAP error 1 LDAP_OPERATIONS_ERROR -  <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <>
Failed to connect to ldap://addc - LDAP error 1 LDAP_OPERATIONS_ERROR -  <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <>

Comment 8 Andrew Bartlett 2021-11-02 10:25:16 UTC

Created attachment 16918 [details]
initial advisory (v01)

Comment 9 Andrew Bartlett 2021-11-02 10:32:02 UTC

Opening this sub-bug to vendors

Comment 11 Luke Howard 2021-11-02 12:05:05 UTC

Comment on attachment 16918 [details]
initial advisory (v01)

Kerberos is not (principally) a name-based authorisation protocol; it is an authentication protocol. Historically, names have been used for authorisation (with Linux/Unix), but as you point out Windows uses SIDs. It may be worth mentioning that SIDs are identifiers that persist across name changes.

Then, I would mention that because of its Linux/Unix history, Samba would permit falling back to using the name in the ticket alone.

Then:

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation to impersonate a different user.

Comment 12 Marcus Meissner 2021-11-02 12:16:31 UTC

is the cvss score 7.2 right? my calculator gets to 7.8 with these values

Comment 13 Marcus Meissner 2021-11-02 12:17:09 UTC

i mean other way round 7.8 vs 7,.2

Comment 14 Jeffrey Altman 2021-11-02 13:09:44 UTC

Proposed alternative text:

Samba as an Active Directory Domain Controller is based on Kerberos [RFC4120] a name-based network authentication protocol. Kerberos does not provide an authorization service and possession of a Kerberos ticket for an application service does not grant any rights to use the service. Traditional Kerberized application services make authorization decisions either by querying a local database (e.g. ~/.k5login) or a network service (e.g. LDAP or AFS3 Protection Service) to obtain authorization. Microsoft Active Directory permits application services to avoid the authorization queries by embedding a copy of the authorization data in the Kerberos service ticket: the Privilege Attribute Certificate (PAC). The PAC includes the unique Security Identifier (SID) of the authenticated client identity and the SIDs of each of the groups the client is a member of.

Microsoft Windows and Active Directory services ignore the authenticated client principal name and instead rely exclusively on the client SID. Whereas Microsoft Active Directory permits the names of accounts to be changed and reused upon deletion, the SID assigned to an account is immutable.

Kerberos service tickets are valid for a specified lifetime typically on the order of 8 to 10 hours determined by local policy. However, ticket lifetimes can be days, weeks, months or even years. Kerberos service tickets are not invalidated when the client principal's name is altered or deleted from the Kerberos Key Distribution Center (KDC) database. If the KDC permits principal names to be reused while previously issued tickets are valid, there is a race whereby Kerberos service tickets issued to two or more distinct client entities are valid simultaneously with the same authenticated client principal name.

A class of users (delegated administrators) are granted the right to create user or computer accounts. These delegated administrators can abuse the race (between time of ticket issue and time of presentation), to become a different user, if they name the accounts carefully.

Microsoft does not consider this race to be meaningful because all Microsoft Windows and Active Directory Services require the existence of a PAC and the unique immutable SID embedded within. However the race can be used to confused non-Microsoft application services into acting as one user when holding a ticket issued to another. A simple example is on Samba's LDAP server, which would, unless "gensec:require_pac = true" was set, permit a fall back to using the
name in the ticket alone.

Comment 16 Andrew Bartlett 2021-11-02 19:55:40 UTC

Created attachment 16922 [details]
initial advisory (v02)

Updated advisory, taking on some feedback and adding special thanks.

Comment 17 Andrew Bartlett 2021-11-02 19:57:20 UTC

(In reply to Jeffrey Altman from comment #14)
Thanks for the context, in this case this is essentially a stuff-up (in various ways) purely within the AD DC.  

Your thoughts do apply, but to some of the other CVE descriptions I've not finished writing.

Comment 18 Arvid Requate 2021-11-03 09:56:08 UTC

Advisory file name should be CVE-2020-25719-advisory-v2.txt instead of CVE-2020-25718-advisory-v1.txt

Comment 19 Stefan Metzmacher 2021-11-03 16:49:31 UTC

Comment on attachment 16922 [details]
initial advisory (v02)

Thanks Arvid, I changed it to CVE-2020-25719-advisory-v2.txt

Comment 20 Andrew Bartlett 2021-11-09 08:22:05 UTC

Created attachment 16979 [details]
advisory text (v03)

I was to coy in the initial description here.  This is quite serious, and would have been our most serious issue if it were not for Bug 14564 (CVE-2020-25722).

Increasing the warning level to explain that this means a possible domain compromise (to users able to create users).

Comment 21 Andrew Bartlett 2021-11-09 08:31:05 UTC

Created attachment 16980 [details]
advisory text (v04)

Sorry for the double-update, forgot to document the behaviour change.

Comment 22 Samba QA Contact 2021-11-09 18:13:47 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

064c41a769662942b045469e0f93405b613ee021
139d1a36f910afd4c102a95ffc5d34eb535de964
89c88b9627b11561adb2c7626cdcc172c0c35a5d
d1777f8e02c27512c7f7816f3d77d72693d83bda
1dda66e97d3fa0ceed85c932f5d0c020fab14d94
888c6fbce8ff50dee6cc5524c17c87b39a867e74
61fcb75251cdf5c08fd6196c04cf9dec962425b3
e31b6f6094403d1186835af4e8385e988c19a4e5
f111e42082ac0a9f4e9d77e908cbb894ba5748b4
cc26ffe58666db3651be9f3670e9c972b4322a0b
c22162544b70c5e546d973506cdb3ca197bdb375
a680362a12934ce3d0f9f0adff0c7f06a9586198
ef65925a41e10911821e56fa492ccd0262ea0533
169a4d4d1407e392ad1462536206eeec5b0f887e
e4a06fdb47c070a84e2a863168ea86f55ccc24e0
78b7f477d594ed30fc53620f03b28a4fac1ecb45
8eeeececd28002893ab91722ea209f064d6a7ac9
c6ca9b34ade2de37488fa9234a1973e841e54c63
e875ebd31d1c1a9e4ef8bdcbfb2f1515e5afe19c
a9a3783182c4464bf154ecf7f22c81b1c41512d1
c8f445ad6bc4cd8d9351b4a1bd8e7aeffa92297d
08c388112f845c8bc8edbe877a844a6578cbccfb
1c8fbb41c24a1b55aa1e24efd77660e4a1ef19c9
9d5d2d0ae4bfea39c1ddfa9eea8e79971c149889
2465874ef8b5c40376b8ce6da4938c9858d5004d
bccbedcee290c127fa54d4d1e25f0d4a9aa0f436
4ecd2f5b8e46128d4289a84f52c2363fb77e60d6
41ff051f8b9321ac104f8c693d14d9f401c0304d
c888bbe632d8bbadfd8c162e79aa0663ceb4e27f
171162bb5e4bfeb093fb7e1cf928fdcd4f23978d
481d47e24288d0908f6e0e53cbd34ba776e491fb
d29c0d94dc36d3c84e028e147fe930ef24818101
7d27aed01ac5bb17eb465e73d05da231ec5cf6fa
048c400e02c5fef623ed95dfdd92bc1591ef6710
1fcd10069f774758c8234818ebe81b7ee5966d1d
3ba4cf29e7f7e29a183dde986313f3fea2a6e949
36a1c87654cf011a597901d43a16dfbc0fecf330
d15ace2d81783a92474e2dbe6c02f20589aa70f0
30fb296a38a72fd91161c4f48be3a0472479f2ff
45ff2b32361fb87a4f4bbc61f2620e2006666f34
1a24abc3554b419b3317a65a48e11dbfc7274073
77a36f23facc22ffcd5ca1e0b04b59b16b5eae2c

Comment 23 Samba QA Contact 2021-11-09 18:21:39 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

1bfde439b6cda61b374e70c6c2b587799c2681b6
e2a1affc03a97e0ae003c163b8f95f8f0e70ad03
24f759427f5c0eabfd420790adfc76aadd6dad3c
c2d7c9a87f47444bdcfb33aa67d5cd29c1d82f66
5fc5247aca3bc700734742e5082038a08d317871
98f570d0841055092b8b059fa6ef16ad4e1ac53b
9463564519785e8e5234da0ab4441de0e91efd07
2966b61522e05753ad1c6f10d1b573576afc4b15
f507539d822072e2f2f337d0fd06acde38e87371
2aa37d595e4204a7c30daf2e7ee64d96df1b13df
b4ac46d376ee4ce604a97d15d6f1166ea800c272
13d066a83b1530a55a4423782a57cc3cfe3fe9e5
4dfa0a77ce0d484b7cb3584124ad349bda391f5e
e60e6301ad8ab6f7163c70c3b5eec862cee3d870
a01303f07c412fce2cdaff7b91ae3df036b438c4
80a8c900ebcd02eb8d42a1e310cf10da3bee2fca
97e5b765f281dc14f436b8c70a4dcd40a2babea9
837e153c74fe035f3c313d3ebd361cbb0e6b65bc
51890d842868380c4bb0a678a76cc6e9ac8e050f
e496c04a6c2e4bb9e1bf2ec50dfd4bbe2f0d797f
04ceb10cbb4d12f2f71a9de2962e81d73270a300
241d3956af943169679e841e8149f22a5a79055f
2895186282eb076c276582ebd8f4159e8c2a7915
8bd96fc1aeb4aa9094bb3c4a6d72082a620935d7
9e29510f3e13cf6d3f864a0c62939d2990a399be
9990c478bf42e81b8ec6bf2759b209123f3819c5
103a6ebbbedc56468f504fbc60eb615a545163ad
4754bf4daf3ca5e9809a8a9d538d8ae38c9ef344
9902f1b0bf30b663a457230d3b3dcd92fd279879
940ddac4572b3caa419579c3bf60f6af0e019d18
0e09aaa3e6410ba6963099a3504c70603180a66d
f0b9f23fa25ee49f8c9c9cab7390f1c948c0ac9f
f99cff8c0515d5f29aba9d605415744b1d1c3b08
d86977088cd16e2ce7f0029ef78d0282c1535115
fe94c4bc71bd623fe96f81a917779a61ed6fcbb0
ff747922c115d9fd702cf1bad53e4c1ff4cd1779
8ae2a8740cef2e2918fc5ab57e34461e4d48df77
6b7d62e87ebc0f438e02a66b9011a26fffe827bd
706004d0267a8a1c2c121a54dd1952f6ba9213a1
60ac2ff31f07afb85bea371e0d92fe13319bc277
c05ea4568fc91bded602279eb9ab4f54935ed46b
2b28b9c3be28368e7b2322af208f17b12587c6a5

Comment 24 Samba QA Contact 2021-11-09 18:23:09 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.2):

ac294d9c65db0a72c566657f52479b738f668589
67b2e0d51a22e57c4758b3b8b6c739956d05187f
b93b9b41b9eba84a090a76d376d5cf37810dbb89
04d515933b2566c138756357ed6112d50faa878b
4ad04eb040a96e8a17d71ad47cab180b77d7063a
9368a1c1a4f936345864e66f62889ecb59881716
af86793af77ab0dfe1c0a9740820c52b435d993d
e44195b765a4029909fc7132928f1ec971d8727d
56ace59efee73988bfd6b25161fa70cfc1956c82
f905fd741ee15fb34ce02475b2791750bd21e025
8d6c969f566b7b1379d67f02f4772d4ba070f919
5a5bd1eef351df89fa78ea01e63e884a9ed8c82b
9053b1056eedab207d3b8f717dcceaf3b44db0d7
7eed3eb1be6ba896b1f19efdad86c4c9dcdb21f1
62223d11b918a7460500503aaaebe6a764a11d07
06bbaeae99731fddc03584a88417a9e3c5cfb2c4
fa66d8da991f292e8139f51acb54bbf87bdf619c
e2ba22581f97171ef170b0b58196f9bb7e8fc801
08b392a6d4914ecf44029ac89b1dab353b7bca6a
42d82ae938fcffd36558afab97c25528b763ec03
de5c2f6b5ca31d88941ffdee6622c4331bedd784
b727d380028f7e54b8530dd7cd187a5d3ca0d4f9
4640efa4ee1d6fa505acec9e70d3de12312d484f
a0485f3a5b29ac049a34323b5db2187fa070d737
fa875cb32011f779423037ba52ba9fb5abb04374
d6a12f8327d2634ff9744bd3dc8ffe67d0ccb873
f321ccc492bea1622d97b882c8451dce1c6302b7
d0a9e4beb0d4be3d492cb51c55ad5d643c09513e
a1e75a78a566d6d6f4a611b5b6d76a48c8b14fb8
d00fe7a85c3406371cf6bbf7107f68ab5ee8d562
e2674a4fbd2a1eb4b7b6930a6017b28518c5c5d8
717960aaa312431b37374c18e1df7f9586947de3
db5183ed31529badf3c3378fb2df79d5f0ce3409
aa91e1f82499bb28d1b55c925ef7360ca6595677
424109b4eeac22959932c1d0a56b96f6979d1cb3
733c2a4a4897a2a4ed0e041518998c8d357472ac
31123d80a1975c6674da937bcc6c7d5fedf8d861
dc873b2e02b2d58213e93946b60b9a8ea96ee7fb
1c6e4577675d6b4fbafc1f868e1d54bedc0fdb7f
637991c7ebf98aca180cad407b96c45189d94cbc
ba272db51634a214466faf0e69724fb6ac25e2a9

Comment 25 Samba QA Contact 2021-11-09 18:44:59 UTC

This bug was referenced in samba v4-14-test:

064c41a769662942b045469e0f93405b613ee021
139d1a36f910afd4c102a95ffc5d34eb535de964
89c88b9627b11561adb2c7626cdcc172c0c35a5d
d1777f8e02c27512c7f7816f3d77d72693d83bda
1dda66e97d3fa0ceed85c932f5d0c020fab14d94
888c6fbce8ff50dee6cc5524c17c87b39a867e74
61fcb75251cdf5c08fd6196c04cf9dec962425b3
e31b6f6094403d1186835af4e8385e988c19a4e5
f111e42082ac0a9f4e9d77e908cbb894ba5748b4
cc26ffe58666db3651be9f3670e9c972b4322a0b
c22162544b70c5e546d973506cdb3ca197bdb375
a680362a12934ce3d0f9f0adff0c7f06a9586198
ef65925a41e10911821e56fa492ccd0262ea0533
169a4d4d1407e392ad1462536206eeec5b0f887e
e4a06fdb47c070a84e2a863168ea86f55ccc24e0
78b7f477d594ed30fc53620f03b28a4fac1ecb45
8eeeececd28002893ab91722ea209f064d6a7ac9
c6ca9b34ade2de37488fa9234a1973e841e54c63
e875ebd31d1c1a9e4ef8bdcbfb2f1515e5afe19c
a9a3783182c4464bf154ecf7f22c81b1c41512d1
c8f445ad6bc4cd8d9351b4a1bd8e7aeffa92297d
08c388112f845c8bc8edbe877a844a6578cbccfb
1c8fbb41c24a1b55aa1e24efd77660e4a1ef19c9
9d5d2d0ae4bfea39c1ddfa9eea8e79971c149889
2465874ef8b5c40376b8ce6da4938c9858d5004d
bccbedcee290c127fa54d4d1e25f0d4a9aa0f436
4ecd2f5b8e46128d4289a84f52c2363fb77e60d6
41ff051f8b9321ac104f8c693d14d9f401c0304d
c888bbe632d8bbadfd8c162e79aa0663ceb4e27f
171162bb5e4bfeb093fb7e1cf928fdcd4f23978d
481d47e24288d0908f6e0e53cbd34ba776e491fb
d29c0d94dc36d3c84e028e147fe930ef24818101
7d27aed01ac5bb17eb465e73d05da231ec5cf6fa
048c400e02c5fef623ed95dfdd92bc1591ef6710
1fcd10069f774758c8234818ebe81b7ee5966d1d
3ba4cf29e7f7e29a183dde986313f3fea2a6e949
36a1c87654cf011a597901d43a16dfbc0fecf330
d15ace2d81783a92474e2dbe6c02f20589aa70f0
30fb296a38a72fd91161c4f48be3a0472479f2ff
45ff2b32361fb87a4f4bbc61f2620e2006666f34
1a24abc3554b419b3317a65a48e11dbfc7274073
77a36f23facc22ffcd5ca1e0b04b59b16b5eae2c

Comment 26 Samba QA Contact 2021-11-09 18:51:07 UTC

This bug was referenced in samba v4-13-test:

1bfde439b6cda61b374e70c6c2b587799c2681b6
e2a1affc03a97e0ae003c163b8f95f8f0e70ad03
24f759427f5c0eabfd420790adfc76aadd6dad3c
c2d7c9a87f47444bdcfb33aa67d5cd29c1d82f66
5fc5247aca3bc700734742e5082038a08d317871
98f570d0841055092b8b059fa6ef16ad4e1ac53b
9463564519785e8e5234da0ab4441de0e91efd07
2966b61522e05753ad1c6f10d1b573576afc4b15
f507539d822072e2f2f337d0fd06acde38e87371
2aa37d595e4204a7c30daf2e7ee64d96df1b13df
b4ac46d376ee4ce604a97d15d6f1166ea800c272
13d066a83b1530a55a4423782a57cc3cfe3fe9e5
4dfa0a77ce0d484b7cb3584124ad349bda391f5e
e60e6301ad8ab6f7163c70c3b5eec862cee3d870
a01303f07c412fce2cdaff7b91ae3df036b438c4
80a8c900ebcd02eb8d42a1e310cf10da3bee2fca
97e5b765f281dc14f436b8c70a4dcd40a2babea9
837e153c74fe035f3c313d3ebd361cbb0e6b65bc
51890d842868380c4bb0a678a76cc6e9ac8e050f
e496c04a6c2e4bb9e1bf2ec50dfd4bbe2f0d797f
04ceb10cbb4d12f2f71a9de2962e81d73270a300
241d3956af943169679e841e8149f22a5a79055f
2895186282eb076c276582ebd8f4159e8c2a7915
8bd96fc1aeb4aa9094bb3c4a6d72082a620935d7
9e29510f3e13cf6d3f864a0c62939d2990a399be
9990c478bf42e81b8ec6bf2759b209123f3819c5
103a6ebbbedc56468f504fbc60eb615a545163ad
4754bf4daf3ca5e9809a8a9d538d8ae38c9ef344
9902f1b0bf30b663a457230d3b3dcd92fd279879
940ddac4572b3caa419579c3bf60f6af0e019d18
0e09aaa3e6410ba6963099a3504c70603180a66d
f0b9f23fa25ee49f8c9c9cab7390f1c948c0ac9f
f99cff8c0515d5f29aba9d605415744b1d1c3b08
d86977088cd16e2ce7f0029ef78d0282c1535115
fe94c4bc71bd623fe96f81a917779a61ed6fcbb0
ff747922c115d9fd702cf1bad53e4c1ff4cd1779
8ae2a8740cef2e2918fc5ab57e34461e4d48df77
6b7d62e87ebc0f438e02a66b9011a26fffe827bd
706004d0267a8a1c2c121a54dd1952f6ba9213a1
60ac2ff31f07afb85bea371e0d92fe13319bc277
c05ea4568fc91bded602279eb9ab4f54935ed46b
2b28b9c3be28368e7b2322af208f17b12587c6a5

Comment 27 Andrew Bartlett 2021-11-09 19:10:58 UTC

The releases are made, removing [EMBARGOED] tag.  The vendor-only restriction will be removed soon once the dust settles.

Comment 28 Samba QA Contact 2021-11-09 19:48:22 UTC

This bug was referenced in samba v4-15-test:

ac294d9c65db0a72c566657f52479b738f668589
67b2e0d51a22e57c4758b3b8b6c739956d05187f
b93b9b41b9eba84a090a76d376d5cf37810dbb89
04d515933b2566c138756357ed6112d50faa878b
4ad04eb040a96e8a17d71ad47cab180b77d7063a
9368a1c1a4f936345864e66f62889ecb59881716
af86793af77ab0dfe1c0a9740820c52b435d993d
e44195b765a4029909fc7132928f1ec971d8727d
56ace59efee73988bfd6b25161fa70cfc1956c82
f905fd741ee15fb34ce02475b2791750bd21e025
8d6c969f566b7b1379d67f02f4772d4ba070f919
5a5bd1eef351df89fa78ea01e63e884a9ed8c82b
9053b1056eedab207d3b8f717dcceaf3b44db0d7
7eed3eb1be6ba896b1f19efdad86c4c9dcdb21f1
62223d11b918a7460500503aaaebe6a764a11d07
06bbaeae99731fddc03584a88417a9e3c5cfb2c4
fa66d8da991f292e8139f51acb54bbf87bdf619c
e2ba22581f97171ef170b0b58196f9bb7e8fc801
08b392a6d4914ecf44029ac89b1dab353b7bca6a
42d82ae938fcffd36558afab97c25528b763ec03
de5c2f6b5ca31d88941ffdee6622c4331bedd784
b727d380028f7e54b8530dd7cd187a5d3ca0d4f9
4640efa4ee1d6fa505acec9e70d3de12312d484f
a0485f3a5b29ac049a34323b5db2187fa070d737
fa875cb32011f779423037ba52ba9fb5abb04374
d6a12f8327d2634ff9744bd3dc8ffe67d0ccb873
f321ccc492bea1622d97b882c8451dce1c6302b7
d0a9e4beb0d4be3d492cb51c55ad5d643c09513e
a1e75a78a566d6d6f4a611b5b6d76a48c8b14fb8
d00fe7a85c3406371cf6bbf7107f68ab5ee8d562
e2674a4fbd2a1eb4b7b6930a6017b28518c5c5d8
717960aaa312431b37374c18e1df7f9586947de3
db5183ed31529badf3c3378fb2df79d5f0ce3409
aa91e1f82499bb28d1b55c925ef7360ca6595677
424109b4eeac22959932c1d0a56b96f6979d1cb3
733c2a4a4897a2a4ed0e041518998c8d357472ac
31123d80a1975c6674da937bcc6c7d5fedf8d861
dc873b2e02b2d58213e93946b60b9a8ea96ee7fb
1c6e4577675d6b4fbafc1f868e1d54bedc0fdb7f
637991c7ebf98aca180cad407b96c45189d94cbc
ba272db51634a214466faf0e69724fb6ac25e2a9

Comment 29 Samba QA Contact 2021-11-09 20:47:44 UTC

This bug was referenced in samba master:

ff6631ecdcb7f0f6455d83e905647dc5aacee51d
06168fd4e3d1b1ea7fdcb6a42f1c721ba7340475
873ac6d814c814fdf2088745dbd562cd91caddd3
4125650a27c3be0f43f873843821751010090010
bd87905cf1bc014729ac72e8f1462ba10533efa9
24be204834889fca3f963ac4fee503a6ecbef439
9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef
f9b16272d2879812011c5642019fd33ae72a6b91
b4ea50f8b272a3b1d1d9d9ceda3641c22a082604
6ec80380dc9372a896f74e95738b01c046411429
f4ed37ad6aa0359f4799188d2b1d30571c6b42a6
336dfc32075ed8776378c35506db94c43cce2a88
dd251f26df6a26b1f6024758ec85ee2df54e6d50
21298ddfc5d8e4d755cfb7c6ae2068386447f538
9602594585d0a8d5c4fb7bfb419760765b262138
faf47b0b6b6037e2059cb4871c3e99020a3f605a
e647186c144748b6e1672cea2ae37c7f93760984
2158ba1eb0800ba9429a9891d7af47d82985b73d
58455c4876113173e682e9b321b8a175779b8a43
42405aa46be210af0ffdd6ecc9e43e41fc8c4c83
8752b83bb98792579b7705d0ce1bd0fb9321043e
72f82d949a3ee0889f358a586484248f8386b744
b8c85fe81c4e95dab1b9a679d0d3e3d27e4f8ed9
2e1e57fca84ba7c8f68a1a2d64f49f9f2c4b80c0
7ff05eb8d44ed7bd7d71227ba42f0fddf09cd0ed
fa4c9bcefdeed0a7106aab84df20b02435febc1f
d0fb22ee85ee4baeba5eec5f7332e752e27765e0
4ef445a1f37e77df8016d240fcf22927165b8c03
d14a6a8846493438dca2f974a3a5d5e00a414d72
61fa866449e1f804b6118ccefdc9cbbc648ed625
2903a50523a80e6de37ff0e052734e9170d147c9
435719185c3c80539eb3041becf1ec18bcd99bac
bdf07fc4211a123b2fe914050d2cb221e0c4a55b
41a36191f671d4e7e172da6b50ca07c3530ff561
87a769fc0a9cdc75f2f79f5cc8072efa95ff4437
01df6559ee6ba86110878da094a3badb50fb75d5
0db5c69d2961fbc538b7bd47373f9d00215fd5a2
2f9245f2a549bd89829d7807ec525c54ff61f8e5
1d3548aeffa2ec136f7cdece112a127241d8be13
f5baabd987bbe71bbf37277e11f51f03372c28f1
433092d61705bdfb3124be94f6d881214b9432ba

Comment 30 Andrew Bartlett 2021-11-09 20:55:19 UTC

The patches addressing this issue have been pushed to master and security releases made.

Comment 31 Andrew Bartlett 2021-11-22 03:53:35 UTC

For deployments of the fileserver, where upgrading to a supported or supportable release is not possible, look carefully at backporting at the patches tagged with CVE-2020-25719 in the patches on bug 14725 or at the very least:

CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)

For the many domains are simple and only have an administrator or domain admins,  fixing Bug 14564 or at least applying the minimal patches mentioned there substantially avoids this issue.

Where there are delegated administrator rights, do upgrade then all the patches tagged as CVE-2020-25719 become important to get to a secure (and validated) state.

Comment 32 Andrew Bartlett 2021-11-22 06:49:04 UTC

(In reply to Andrew Bartlett from comment #31)
Sorry, I meant for deployments of the AD DC.

Comment 33 Andrew Bartlett 2021-11-22 09:36:28 UTC

Removing vendor-only embargo and all-vendor CC.  Vendors who wish to follow this issue from here should CC individually.