I think I tested a kerberos ticket without a pac against a windows smb server and it seems to use a anonymous token, but it was just a very brief test and I don't remember all details anymore.
Thanks metze, I confirm the same on Windows 2019: samba@9c864a0aad0c:~/src$ bin/samba4kinit --request-pac=0 administrator@WIN19.XXX administrator@WIN19.XXX's Password: samba@9c864a0aad0c:~/src$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: administrator@WIN19.XXX Valid starting Expires Service principal 02/11/2020 22:41:47 02/12/2020 08:41:47 krbtgt/WIN19.XXX@WIN19.XXX samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b "" # record 1 dn: tokenGroups: S-1-5-7 # returned 1 records # 1 entries # 0 referrals
Sorry, that was just an anonymous session. samba@9c864a0aad0c:~/src$ bin/samba4kinit --request-pac=0 administrator@WIN19.XXX administrator@WIN19.XXX's Password: samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b "" -k yes --krb5-ccache=/tmp/krb5cc_1000 # record 1 dn: tokenGroups: S-1-5-7 tokenGroups: S-1-5-2 tokenGroups: S-1-5-15 # returned 1 records # 1 entries # 0 referrals samba@9c864a0aad0c:~/src$ bin/samba4kinit administrator@WIN19.XXX administrator@WIN19.XXX's Password: samba@9c864a0aad0c:~/src$ bin/ldbsearch -H ldap://abartlet-test-dc-19.WIN19.XXX tokengroups -s base -b "" -k yes --krb5-ccache=/tmp/krb5cc_1000 # record 1 dn: tokenGroups: S-1-5-21-4288279459-746639539-3756042918-500 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-513 tokenGroups: S-1-1-0 tokenGroups: S-1-5-32-544 tokenGroups: S-1-5-32-545 tokenGroups: S-1-5-32-554 tokenGroups: S-1-5-2 tokenGroups: S-1-5-11 tokenGroups: S-1-5-15 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-512 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-520 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-519 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-518 tokenGroups: S-1-18-1 tokenGroups: S-1-5-21-4288279459-746639539-3756042918-572 # returned 1 records # 1 entries # 0 referrals
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H (6.8) In the worst case a user with privileges to create new accounts (and therefore set the userPrincipalName freely) could, knowing a new administrative account is to be created obtain a ticket in the name of the new administrative account (via the attacker's account's UPN). Otherwise (and perhaps more realistic) if the new account is just another user account: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N (3.5)
I've reproduced this against Samba. However it requires that there has been a change to the username -> record lookup in the meantime, otherwise access is still as the attacker, not administrator. abartlet@addc:~/samba$ bin/samba-tool user add mallory -s st/ad_dc/etc/smb.conf New Password: Retype Password: abartlet@addc:~/samba$ cat make-admin.ldif dn: CN=mallory,CN=Users,DC=addom,DC=samba,DC=example,DC=com changetype: modify replace: userPrincipalName userPrincipalName: administrator@addom.samba.example.comabartlet bin/ldbmodify -H st/ad_dc/private/sam.ldb make-admin.ldif Modified 1 records successfully abartlet@addc:~/samba$ bin/samba4kinit --request-pac=0 administrator administrator@ADDOM.SAMBA.EXAMPLE.COM's Password: abartlet@addc:~/samba$ bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups # record 1 dn: tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-1112 tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-513 (remove UPN on cn=mallory) abartlet@addc:~/samba$ bin/ldbedit -H st/ad_dc/private/sam.ldb cn=mallory # 0 adds 1 modifies 0 deletes bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups # record 1 dn: tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-500 tokenGroups: S-1-5-21-2435781381-3040432482-3519067470-513
Proposed test: Confirm that an kerberos logon to the LDAP server without a PAC give anonymous. Also confirm the username based race: - as above and - a simpler one with two unprivileged users: rename A -> C, B -> A. Confirm the 'right' SID is still returned in the tokenGroups, with a PAC.
(In reply to Andrew Bartlett from comment #5) I can't reproduce this using your instructions in comment #5: > bin/ldbsearch -H ldap://$SERVER -k yes -s base -b "" tokengroups Failed to bind - LDAP error 1 LDAP_OPERATIONS_ERROR - <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <> Failed to connect to 'ldap://addc' with backend 'ldap': LDAP error 1 LDAP_OPERATIONS_ERROR - <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <> Failed to connect to ldap://addc - LDAP error 1 LDAP_OPERATIONS_ERROR - <SASL:[GSS-SPNEGO]: Failed to get session info: NT_STATUS_ACCESS_DENIED> <>
Created attachment 16918 [details] initial advisory (v01)
Opening this sub-bug to vendors
Comment on attachment 16918 [details] initial advisory (v01) Kerberos is not (principally) a name-based authorisation protocol; it is an authentication protocol. Historically, names have been used for authorisation (with Linux/Unix), but as you point out Windows uses SIDs. It may be worth mentioning that SIDs are identifiers that persist across name changes. Then, I would mention that because of its Linux/Unix history, Samba would permit falling back to using the name in the ticket alone. Then: Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation to impersonate a different user.
is the cvss score 7.2 right? my calculator gets to 7.8 with these values
i mean other way round 7.8 vs 7,.2
Proposed alternative text: Samba as an Active Directory Domain Controller is based on Kerberos [RFC4120] a name-based network authentication protocol. Kerberos does not provide an authorization service and possession of a Kerberos ticket for an application service does not grant any rights to use the service. Traditional Kerberized application services make authorization decisions either by querying a local database (e.g. ~/.k5login) or a network service (e.g. LDAP or AFS3 Protection Service) to obtain authorization. Microsoft Active Directory permits application services to avoid the authorization queries by embedding a copy of the authorization data in the Kerberos service ticket: the Privilege Attribute Certificate (PAC). The PAC includes the unique Security Identifier (SID) of the authenticated client identity and the SIDs of each of the groups the client is a member of. Microsoft Windows and Active Directory services ignore the authenticated client principal name and instead rely exclusively on the client SID. Whereas Microsoft Active Directory permits the names of accounts to be changed and reused upon deletion, the SID assigned to an account is immutable. Kerberos service tickets are valid for a specified lifetime typically on the order of 8 to 10 hours determined by local policy. However, ticket lifetimes can be days, weeks, months or even years. Kerberos service tickets are not invalidated when the client principal's name is altered or deleted from the Kerberos Key Distribution Center (KDC) database. If the KDC permits principal names to be reused while previously issued tickets are valid, there is a race whereby Kerberos service tickets issued to two or more distinct client entities are valid simultaneously with the same authenticated client principal name. A class of users (delegated administrators) are granted the right to create user or computer accounts. These delegated administrators can abuse the race (between time of ticket issue and time of presentation), to become a different user, if they name the accounts carefully. Microsoft does not consider this race to be meaningful because all Microsoft Windows and Active Directory Services require the existence of a PAC and the unique immutable SID embedded within. However the race can be used to confused non-Microsoft application services into acting as one user when holding a ticket issued to another. A simple example is on Samba's LDAP server, which would, unless "gensec:require_pac = true" was set, permit a fall back to using the name in the ticket alone.
Created attachment 16922 [details] initial advisory (v02) Updated advisory, taking on some feedback and adding special thanks.
(In reply to Jeffrey Altman from comment #14) Thanks for the context, in this case this is essentially a stuff-up (in various ways) purely within the AD DC. Your thoughts do apply, but to some of the other CVE descriptions I've not finished writing.
Advisory file name should be CVE-2020-25719-advisory-v2.txt instead of CVE-2020-25718-advisory-v1.txt
Comment on attachment 16922 [details] initial advisory (v02) Thanks Arvid, I changed it to CVE-2020-25719-advisory-v2.txt
Created attachment 16979 [details] advisory text (v03) I was to coy in the initial description here. This is quite serious, and would have been our most serious issue if it were not for Bug 14564 (CVE-2020-25722). Increasing the warning level to explain that this means a possible domain compromise (to users able to create users).
Created attachment 16980 [details] advisory text (v04) Sorry for the double-update, forgot to document the behaviour change.
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 064c41a769662942b045469e0f93405b613ee021 139d1a36f910afd4c102a95ffc5d34eb535de964 89c88b9627b11561adb2c7626cdcc172c0c35a5d d1777f8e02c27512c7f7816f3d77d72693d83bda 1dda66e97d3fa0ceed85c932f5d0c020fab14d94 888c6fbce8ff50dee6cc5524c17c87b39a867e74 61fcb75251cdf5c08fd6196c04cf9dec962425b3 e31b6f6094403d1186835af4e8385e988c19a4e5 f111e42082ac0a9f4e9d77e908cbb894ba5748b4 cc26ffe58666db3651be9f3670e9c972b4322a0b c22162544b70c5e546d973506cdb3ca197bdb375 a680362a12934ce3d0f9f0adff0c7f06a9586198 ef65925a41e10911821e56fa492ccd0262ea0533 169a4d4d1407e392ad1462536206eeec5b0f887e e4a06fdb47c070a84e2a863168ea86f55ccc24e0 78b7f477d594ed30fc53620f03b28a4fac1ecb45 8eeeececd28002893ab91722ea209f064d6a7ac9 c6ca9b34ade2de37488fa9234a1973e841e54c63 e875ebd31d1c1a9e4ef8bdcbfb2f1515e5afe19c a9a3783182c4464bf154ecf7f22c81b1c41512d1 c8f445ad6bc4cd8d9351b4a1bd8e7aeffa92297d 08c388112f845c8bc8edbe877a844a6578cbccfb 1c8fbb41c24a1b55aa1e24efd77660e4a1ef19c9 9d5d2d0ae4bfea39c1ddfa9eea8e79971c149889 2465874ef8b5c40376b8ce6da4938c9858d5004d bccbedcee290c127fa54d4d1e25f0d4a9aa0f436 4ecd2f5b8e46128d4289a84f52c2363fb77e60d6 41ff051f8b9321ac104f8c693d14d9f401c0304d c888bbe632d8bbadfd8c162e79aa0663ceb4e27f 171162bb5e4bfeb093fb7e1cf928fdcd4f23978d 481d47e24288d0908f6e0e53cbd34ba776e491fb d29c0d94dc36d3c84e028e147fe930ef24818101 7d27aed01ac5bb17eb465e73d05da231ec5cf6fa 048c400e02c5fef623ed95dfdd92bc1591ef6710 1fcd10069f774758c8234818ebe81b7ee5966d1d 3ba4cf29e7f7e29a183dde986313f3fea2a6e949 36a1c87654cf011a597901d43a16dfbc0fecf330 d15ace2d81783a92474e2dbe6c02f20589aa70f0 30fb296a38a72fd91161c4f48be3a0472479f2ff 45ff2b32361fb87a4f4bbc61f2620e2006666f34 1a24abc3554b419b3317a65a48e11dbfc7274073 77a36f23facc22ffcd5ca1e0b04b59b16b5eae2c
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): 1bfde439b6cda61b374e70c6c2b587799c2681b6 e2a1affc03a97e0ae003c163b8f95f8f0e70ad03 24f759427f5c0eabfd420790adfc76aadd6dad3c c2d7c9a87f47444bdcfb33aa67d5cd29c1d82f66 5fc5247aca3bc700734742e5082038a08d317871 98f570d0841055092b8b059fa6ef16ad4e1ac53b 9463564519785e8e5234da0ab4441de0e91efd07 2966b61522e05753ad1c6f10d1b573576afc4b15 f507539d822072e2f2f337d0fd06acde38e87371 2aa37d595e4204a7c30daf2e7ee64d96df1b13df b4ac46d376ee4ce604a97d15d6f1166ea800c272 13d066a83b1530a55a4423782a57cc3cfe3fe9e5 4dfa0a77ce0d484b7cb3584124ad349bda391f5e e60e6301ad8ab6f7163c70c3b5eec862cee3d870 a01303f07c412fce2cdaff7b91ae3df036b438c4 80a8c900ebcd02eb8d42a1e310cf10da3bee2fca 97e5b765f281dc14f436b8c70a4dcd40a2babea9 837e153c74fe035f3c313d3ebd361cbb0e6b65bc 51890d842868380c4bb0a678a76cc6e9ac8e050f e496c04a6c2e4bb9e1bf2ec50dfd4bbe2f0d797f 04ceb10cbb4d12f2f71a9de2962e81d73270a300 241d3956af943169679e841e8149f22a5a79055f 2895186282eb076c276582ebd8f4159e8c2a7915 8bd96fc1aeb4aa9094bb3c4a6d72082a620935d7 9e29510f3e13cf6d3f864a0c62939d2990a399be 9990c478bf42e81b8ec6bf2759b209123f3819c5 103a6ebbbedc56468f504fbc60eb615a545163ad 4754bf4daf3ca5e9809a8a9d538d8ae38c9ef344 9902f1b0bf30b663a457230d3b3dcd92fd279879 940ddac4572b3caa419579c3bf60f6af0e019d18 0e09aaa3e6410ba6963099a3504c70603180a66d f0b9f23fa25ee49f8c9c9cab7390f1c948c0ac9f f99cff8c0515d5f29aba9d605415744b1d1c3b08 d86977088cd16e2ce7f0029ef78d0282c1535115 fe94c4bc71bd623fe96f81a917779a61ed6fcbb0 ff747922c115d9fd702cf1bad53e4c1ff4cd1779 8ae2a8740cef2e2918fc5ab57e34461e4d48df77 6b7d62e87ebc0f438e02a66b9011a26fffe827bd 706004d0267a8a1c2c121a54dd1952f6ba9213a1 60ac2ff31f07afb85bea371e0d92fe13319bc277 c05ea4568fc91bded602279eb9ab4f54935ed46b 2b28b9c3be28368e7b2322af208f17b12587c6a5
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): ac294d9c65db0a72c566657f52479b738f668589 67b2e0d51a22e57c4758b3b8b6c739956d05187f b93b9b41b9eba84a090a76d376d5cf37810dbb89 04d515933b2566c138756357ed6112d50faa878b 4ad04eb040a96e8a17d71ad47cab180b77d7063a 9368a1c1a4f936345864e66f62889ecb59881716 af86793af77ab0dfe1c0a9740820c52b435d993d e44195b765a4029909fc7132928f1ec971d8727d 56ace59efee73988bfd6b25161fa70cfc1956c82 f905fd741ee15fb34ce02475b2791750bd21e025 8d6c969f566b7b1379d67f02f4772d4ba070f919 5a5bd1eef351df89fa78ea01e63e884a9ed8c82b 9053b1056eedab207d3b8f717dcceaf3b44db0d7 7eed3eb1be6ba896b1f19efdad86c4c9dcdb21f1 62223d11b918a7460500503aaaebe6a764a11d07 06bbaeae99731fddc03584a88417a9e3c5cfb2c4 fa66d8da991f292e8139f51acb54bbf87bdf619c e2ba22581f97171ef170b0b58196f9bb7e8fc801 08b392a6d4914ecf44029ac89b1dab353b7bca6a 42d82ae938fcffd36558afab97c25528b763ec03 de5c2f6b5ca31d88941ffdee6622c4331bedd784 b727d380028f7e54b8530dd7cd187a5d3ca0d4f9 4640efa4ee1d6fa505acec9e70d3de12312d484f a0485f3a5b29ac049a34323b5db2187fa070d737 fa875cb32011f779423037ba52ba9fb5abb04374 d6a12f8327d2634ff9744bd3dc8ffe67d0ccb873 f321ccc492bea1622d97b882c8451dce1c6302b7 d0a9e4beb0d4be3d492cb51c55ad5d643c09513e a1e75a78a566d6d6f4a611b5b6d76a48c8b14fb8 d00fe7a85c3406371cf6bbf7107f68ab5ee8d562 e2674a4fbd2a1eb4b7b6930a6017b28518c5c5d8 717960aaa312431b37374c18e1df7f9586947de3 db5183ed31529badf3c3378fb2df79d5f0ce3409 aa91e1f82499bb28d1b55c925ef7360ca6595677 424109b4eeac22959932c1d0a56b96f6979d1cb3 733c2a4a4897a2a4ed0e041518998c8d357472ac 31123d80a1975c6674da937bcc6c7d5fedf8d861 dc873b2e02b2d58213e93946b60b9a8ea96ee7fb 1c6e4577675d6b4fbafc1f868e1d54bedc0fdb7f 637991c7ebf98aca180cad407b96c45189d94cbc ba272db51634a214466faf0e69724fb6ac25e2a9
This bug was referenced in samba v4-14-test: 064c41a769662942b045469e0f93405b613ee021 139d1a36f910afd4c102a95ffc5d34eb535de964 89c88b9627b11561adb2c7626cdcc172c0c35a5d d1777f8e02c27512c7f7816f3d77d72693d83bda 1dda66e97d3fa0ceed85c932f5d0c020fab14d94 888c6fbce8ff50dee6cc5524c17c87b39a867e74 61fcb75251cdf5c08fd6196c04cf9dec962425b3 e31b6f6094403d1186835af4e8385e988c19a4e5 f111e42082ac0a9f4e9d77e908cbb894ba5748b4 cc26ffe58666db3651be9f3670e9c972b4322a0b c22162544b70c5e546d973506cdb3ca197bdb375 a680362a12934ce3d0f9f0adff0c7f06a9586198 ef65925a41e10911821e56fa492ccd0262ea0533 169a4d4d1407e392ad1462536206eeec5b0f887e e4a06fdb47c070a84e2a863168ea86f55ccc24e0 78b7f477d594ed30fc53620f03b28a4fac1ecb45 8eeeececd28002893ab91722ea209f064d6a7ac9 c6ca9b34ade2de37488fa9234a1973e841e54c63 e875ebd31d1c1a9e4ef8bdcbfb2f1515e5afe19c a9a3783182c4464bf154ecf7f22c81b1c41512d1 c8f445ad6bc4cd8d9351b4a1bd8e7aeffa92297d 08c388112f845c8bc8edbe877a844a6578cbccfb 1c8fbb41c24a1b55aa1e24efd77660e4a1ef19c9 9d5d2d0ae4bfea39c1ddfa9eea8e79971c149889 2465874ef8b5c40376b8ce6da4938c9858d5004d bccbedcee290c127fa54d4d1e25f0d4a9aa0f436 4ecd2f5b8e46128d4289a84f52c2363fb77e60d6 41ff051f8b9321ac104f8c693d14d9f401c0304d c888bbe632d8bbadfd8c162e79aa0663ceb4e27f 171162bb5e4bfeb093fb7e1cf928fdcd4f23978d 481d47e24288d0908f6e0e53cbd34ba776e491fb d29c0d94dc36d3c84e028e147fe930ef24818101 7d27aed01ac5bb17eb465e73d05da231ec5cf6fa 048c400e02c5fef623ed95dfdd92bc1591ef6710 1fcd10069f774758c8234818ebe81b7ee5966d1d 3ba4cf29e7f7e29a183dde986313f3fea2a6e949 36a1c87654cf011a597901d43a16dfbc0fecf330 d15ace2d81783a92474e2dbe6c02f20589aa70f0 30fb296a38a72fd91161c4f48be3a0472479f2ff 45ff2b32361fb87a4f4bbc61f2620e2006666f34 1a24abc3554b419b3317a65a48e11dbfc7274073 77a36f23facc22ffcd5ca1e0b04b59b16b5eae2c
This bug was referenced in samba v4-13-test: 1bfde439b6cda61b374e70c6c2b587799c2681b6 e2a1affc03a97e0ae003c163b8f95f8f0e70ad03 24f759427f5c0eabfd420790adfc76aadd6dad3c c2d7c9a87f47444bdcfb33aa67d5cd29c1d82f66 5fc5247aca3bc700734742e5082038a08d317871 98f570d0841055092b8b059fa6ef16ad4e1ac53b 9463564519785e8e5234da0ab4441de0e91efd07 2966b61522e05753ad1c6f10d1b573576afc4b15 f507539d822072e2f2f337d0fd06acde38e87371 2aa37d595e4204a7c30daf2e7ee64d96df1b13df b4ac46d376ee4ce604a97d15d6f1166ea800c272 13d066a83b1530a55a4423782a57cc3cfe3fe9e5 4dfa0a77ce0d484b7cb3584124ad349bda391f5e e60e6301ad8ab6f7163c70c3b5eec862cee3d870 a01303f07c412fce2cdaff7b91ae3df036b438c4 80a8c900ebcd02eb8d42a1e310cf10da3bee2fca 97e5b765f281dc14f436b8c70a4dcd40a2babea9 837e153c74fe035f3c313d3ebd361cbb0e6b65bc 51890d842868380c4bb0a678a76cc6e9ac8e050f e496c04a6c2e4bb9e1bf2ec50dfd4bbe2f0d797f 04ceb10cbb4d12f2f71a9de2962e81d73270a300 241d3956af943169679e841e8149f22a5a79055f 2895186282eb076c276582ebd8f4159e8c2a7915 8bd96fc1aeb4aa9094bb3c4a6d72082a620935d7 9e29510f3e13cf6d3f864a0c62939d2990a399be 9990c478bf42e81b8ec6bf2759b209123f3819c5 103a6ebbbedc56468f504fbc60eb615a545163ad 4754bf4daf3ca5e9809a8a9d538d8ae38c9ef344 9902f1b0bf30b663a457230d3b3dcd92fd279879 940ddac4572b3caa419579c3bf60f6af0e019d18 0e09aaa3e6410ba6963099a3504c70603180a66d f0b9f23fa25ee49f8c9c9cab7390f1c948c0ac9f f99cff8c0515d5f29aba9d605415744b1d1c3b08 d86977088cd16e2ce7f0029ef78d0282c1535115 fe94c4bc71bd623fe96f81a917779a61ed6fcbb0 ff747922c115d9fd702cf1bad53e4c1ff4cd1779 8ae2a8740cef2e2918fc5ab57e34461e4d48df77 6b7d62e87ebc0f438e02a66b9011a26fffe827bd 706004d0267a8a1c2c121a54dd1952f6ba9213a1 60ac2ff31f07afb85bea371e0d92fe13319bc277 c05ea4568fc91bded602279eb9ab4f54935ed46b 2b28b9c3be28368e7b2322af208f17b12587c6a5
The releases are made, removing [EMBARGOED] tag. The vendor-only restriction will be removed soon once the dust settles.
This bug was referenced in samba v4-15-test: ac294d9c65db0a72c566657f52479b738f668589 67b2e0d51a22e57c4758b3b8b6c739956d05187f b93b9b41b9eba84a090a76d376d5cf37810dbb89 04d515933b2566c138756357ed6112d50faa878b 4ad04eb040a96e8a17d71ad47cab180b77d7063a 9368a1c1a4f936345864e66f62889ecb59881716 af86793af77ab0dfe1c0a9740820c52b435d993d e44195b765a4029909fc7132928f1ec971d8727d 56ace59efee73988bfd6b25161fa70cfc1956c82 f905fd741ee15fb34ce02475b2791750bd21e025 8d6c969f566b7b1379d67f02f4772d4ba070f919 5a5bd1eef351df89fa78ea01e63e884a9ed8c82b 9053b1056eedab207d3b8f717dcceaf3b44db0d7 7eed3eb1be6ba896b1f19efdad86c4c9dcdb21f1 62223d11b918a7460500503aaaebe6a764a11d07 06bbaeae99731fddc03584a88417a9e3c5cfb2c4 fa66d8da991f292e8139f51acb54bbf87bdf619c e2ba22581f97171ef170b0b58196f9bb7e8fc801 08b392a6d4914ecf44029ac89b1dab353b7bca6a 42d82ae938fcffd36558afab97c25528b763ec03 de5c2f6b5ca31d88941ffdee6622c4331bedd784 b727d380028f7e54b8530dd7cd187a5d3ca0d4f9 4640efa4ee1d6fa505acec9e70d3de12312d484f a0485f3a5b29ac049a34323b5db2187fa070d737 fa875cb32011f779423037ba52ba9fb5abb04374 d6a12f8327d2634ff9744bd3dc8ffe67d0ccb873 f321ccc492bea1622d97b882c8451dce1c6302b7 d0a9e4beb0d4be3d492cb51c55ad5d643c09513e a1e75a78a566d6d6f4a611b5b6d76a48c8b14fb8 d00fe7a85c3406371cf6bbf7107f68ab5ee8d562 e2674a4fbd2a1eb4b7b6930a6017b28518c5c5d8 717960aaa312431b37374c18e1df7f9586947de3 db5183ed31529badf3c3378fb2df79d5f0ce3409 aa91e1f82499bb28d1b55c925ef7360ca6595677 424109b4eeac22959932c1d0a56b96f6979d1cb3 733c2a4a4897a2a4ed0e041518998c8d357472ac 31123d80a1975c6674da937bcc6c7d5fedf8d861 dc873b2e02b2d58213e93946b60b9a8ea96ee7fb 1c6e4577675d6b4fbafc1f868e1d54bedc0fdb7f 637991c7ebf98aca180cad407b96c45189d94cbc ba272db51634a214466faf0e69724fb6ac25e2a9
This bug was referenced in samba master: ff6631ecdcb7f0f6455d83e905647dc5aacee51d 06168fd4e3d1b1ea7fdcb6a42f1c721ba7340475 873ac6d814c814fdf2088745dbd562cd91caddd3 4125650a27c3be0f43f873843821751010090010 bd87905cf1bc014729ac72e8f1462ba10533efa9 24be204834889fca3f963ac4fee503a6ecbef439 9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef f9b16272d2879812011c5642019fd33ae72a6b91 b4ea50f8b272a3b1d1d9d9ceda3641c22a082604 6ec80380dc9372a896f74e95738b01c046411429 f4ed37ad6aa0359f4799188d2b1d30571c6b42a6 336dfc32075ed8776378c35506db94c43cce2a88 dd251f26df6a26b1f6024758ec85ee2df54e6d50 21298ddfc5d8e4d755cfb7c6ae2068386447f538 9602594585d0a8d5c4fb7bfb419760765b262138 faf47b0b6b6037e2059cb4871c3e99020a3f605a e647186c144748b6e1672cea2ae37c7f93760984 2158ba1eb0800ba9429a9891d7af47d82985b73d 58455c4876113173e682e9b321b8a175779b8a43 42405aa46be210af0ffdd6ecc9e43e41fc8c4c83 8752b83bb98792579b7705d0ce1bd0fb9321043e 72f82d949a3ee0889f358a586484248f8386b744 b8c85fe81c4e95dab1b9a679d0d3e3d27e4f8ed9 2e1e57fca84ba7c8f68a1a2d64f49f9f2c4b80c0 7ff05eb8d44ed7bd7d71227ba42f0fddf09cd0ed fa4c9bcefdeed0a7106aab84df20b02435febc1f d0fb22ee85ee4baeba5eec5f7332e752e27765e0 4ef445a1f37e77df8016d240fcf22927165b8c03 d14a6a8846493438dca2f974a3a5d5e00a414d72 61fa866449e1f804b6118ccefdc9cbbc648ed625 2903a50523a80e6de37ff0e052734e9170d147c9 435719185c3c80539eb3041becf1ec18bcd99bac bdf07fc4211a123b2fe914050d2cb221e0c4a55b 41a36191f671d4e7e172da6b50ca07c3530ff561 87a769fc0a9cdc75f2f79f5cc8072efa95ff4437 01df6559ee6ba86110878da094a3badb50fb75d5 0db5c69d2961fbc538b7bd47373f9d00215fd5a2 2f9245f2a549bd89829d7807ec525c54ff61f8e5 1d3548aeffa2ec136f7cdece112a127241d8be13 f5baabd987bbe71bbf37277e11f51f03372c28f1 433092d61705bdfb3124be94f6d881214b9432ba
The patches addressing this issue have been pushed to master and security releases made.
For deployments of the fileserver, where upgrading to a supported or supportable release is not possible, look carefully at backporting at the patches tagged with CVE-2020-25719 in the patches on bug 14725 or at the very least: CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) For the many domains are simple and only have an administrator or domain admins, fixing Bug 14564 or at least applying the minimal patches mentioned there substantially avoids this issue. Where there are delegated administrator rights, do upgrade then all the patches tagged as CVE-2020-25719 become important to get to a secure (and validated) state.
(In reply to Andrew Bartlett from comment #31) Sorry, I meant for deployments of the AD DC.
Removing vendor-only embargo and all-vendor CC. Vendors who wish to follow this issue from here should CC individually.