Samba samldb.c checks do not check if a sAMAccountName would be a duplicate with a userPrincipalName. That is, sAMAccountName=fred should collide with userPrincipalName=fred@example.com for realm EXAMPLE.COM Such checks are inherently racy but should still be done on the DC where the originating update is made as in a well-replicating network do provide a significant measure of protection against malicious and accidental activity. The lack of a cross-check is currently matches Windows behaviour, but may not be desirable. NOTE WELL: This bug is not for detection of racy creation of such objects per https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
For domains containing windows DCs that implement the MachineAccountQuota this lack of cross-check allows a Denial Of Service as a machine account can 'take over' a UPN that happens to be short enough have the prefix before the @ fit into the samAccountName. I'm reporting this concern to MS, this bug is to track that we will want to follow up with implementing the same mitigations.
This bug will be used for the CVE for all AD DC validation issues where users with write permission are not sufficiently constrained by either ACLs or other constraints from causing denial of service or privilege escalation via the objects they can write.
Created attachment 16914 [details] initial advisory (v01)
Created attachment 16916 [details] advisory text (v02) (with some special thanks)
Opening this bug to vendors.
Created attachment 16977 [details] advisory text (v03) I've updated the advisory with much more detail on what the new user-visible restrictions are.
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 25790f26c6f25306d880fdad089268395a1e5f72 db401161cf94e30d44d6981ea9c17aaabd028562 62d1f79acfc9a9024f6f2635c5eb510fd75629fe 98bdd95203d144e31284f580444a131740c0655a 848843db9706ecc054d58615e311b934c6a85c85 87d003ad564f9af193a150ebd19b0e5ae95408a7 cb04abae1fe8db9ab59cbee48fc197112cdadb26 f832d937516839d6acf5c4b62d29a92ad0f39444 82ea0d52b0d64c7a9e53628aa6c8718a73306809 f1b6fe0097d7c7de971dbc74230a626a5fdd94ac 503106c6b348e8d2831fffbde3d582c9b1c5285d 58fc20e10118cbfe3ca010b2967509ee7a4b4a4a 3e22df9e6c10635caab32200e58ea6a7c3c0b01e 083813b635597bb5c5b4d2aea83a734b9a0ab4c8 a87278b69c2a6cb3ade983ee3009e5ecd5f48cf9 57dafb48b1eded228de7352a9e834d62ba253d98 ce588b348db815608fd080261b93b25346666fa2 59e17459b2dc0d7619ebb5327ececd4aa9cf6bfa 2d5fef5e222db7c4215462145268fb7592bf6ad7 c1dd80a0aa853adb74278377f6810b0d5e22aa49 bb154cc15a68540ebb323d88812b464aecc3cee0
This bug was referenced in samba v4-15-stable (Release samba-4.15.2): 9e25ea360119b120001d755f60489b82a2b21847 6bf71b18ce56558ea29059c200bce42e8707f1c1 480c5bc4b9eb8256cf23b9a96b2ebd54a1a7446d 7705aa9a7e2a1becdcdb23b5dc3935227e271fa4 119be11238340d576bb3f15c0c8da4c11034902b b3c42c6e4a4453f4461103f8ef13c9218ce12dd9 1986ab0f5fbac9fa77288e1f60b3fae541666a42 6af91c59d86048a9627c90c95c3607b498b2ebf6 d3298ec2f6627db5f9401d472f1071d50999e14e 13576d8f281e746a9798c1871487873d13c95f40 2cf8ccfbce408ccb9fc4047f97b3eb2c7144349e 9c150303545928a7be31132cc038fd34d1586e34 4474022b37c64abc20ee299fc27dadc144e09de7 28bee539115fce7a61dddb65990ffbee7efdd6f1 9255c680800d021ba4cf6e89611f53e1e9585219 faa133886d67788bb400446865f4e05ec02d38af 32a46d01bb8def508517c32aacc43fdd8bbe5451 ddde2b45c2ea8a6980527104f20cb3f2d622aaa4 6ceab83249bf448f2555ea187f2b5c195ba84c93 ef2edd3f1783196e49ae3266ca392cb76d7b3bc2 1d1097f08c78409a085516e44c395430ceefff6d
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): a65866a6c73ebd3bc98faac57ce652c81f07d8e5 f64fe0b1e749814c76789c58e23e0fb0ef504617 c1973cedbaa5313448a436f86dc4d662efbe497e 3e349608853de8a81af9f8d8f4c8d8221f46de4e 55c6c01a65e6c2343ebf350e4d54d27a64f13faf 47279630f17de392c66f6833f815e9bc39d714d7 5650323f79cbf0dcdd74bc318be589a80000afd1 50f5069a73ac689d3b5fb56fdc652aefb57d396a 26bfddd4390b370f752f8b079947d1b7d109f013 40a3b71e05c110574a422619669657c86f6864d1 38e858b12c128ac31c4f3185425742bae710892c 4b5a370e896c5517946fd1636cc890bb7bca549b 935997b92ebea5941a04c553934e203b33f1d7d7 90957fba9ff7e4653e24912ae584078e43559e5d 4439ac7bb6e8fcb1610fa94923c3daaed3e4c958 9be11622765c060971c4fcc2fba981f760f897d8 b121b1920f996fc9c15ec40a63e7cf4dd7159161 3a4095aec5eb592d4968465930f7fd7e1435e19f 9ac2254c50d34db5a554a2e122f3742c84331a66 26a1bd5cc75ed237c99e147681bde5daae0e61fa 3ed16e74292058d059ae951317ca8d3b7f1f5d0e
This bug was referenced in samba v4-13-test: a65866a6c73ebd3bc98faac57ce652c81f07d8e5 f64fe0b1e749814c76789c58e23e0fb0ef504617 c1973cedbaa5313448a436f86dc4d662efbe497e 3e349608853de8a81af9f8d8f4c8d8221f46de4e 55c6c01a65e6c2343ebf350e4d54d27a64f13faf 47279630f17de392c66f6833f815e9bc39d714d7 5650323f79cbf0dcdd74bc318be589a80000afd1 50f5069a73ac689d3b5fb56fdc652aefb57d396a 26bfddd4390b370f752f8b079947d1b7d109f013 40a3b71e05c110574a422619669657c86f6864d1 38e858b12c128ac31c4f3185425742bae710892c 4b5a370e896c5517946fd1636cc890bb7bca549b 935997b92ebea5941a04c553934e203b33f1d7d7 90957fba9ff7e4653e24912ae584078e43559e5d 4439ac7bb6e8fcb1610fa94923c3daaed3e4c958 9be11622765c060971c4fcc2fba981f760f897d8 b121b1920f996fc9c15ec40a63e7cf4dd7159161 3a4095aec5eb592d4968465930f7fd7e1435e19f 9ac2254c50d34db5a554a2e122f3742c84331a66 26a1bd5cc75ed237c99e147681bde5daae0e61fa 3ed16e74292058d059ae951317ca8d3b7f1f5d0e
The releases are made, removing [EMBARGOED] tag. The vendor-only restriction will be removed soon once the dust settles.
This bug was referenced in samba v4-14-test: 25790f26c6f25306d880fdad089268395a1e5f72 db401161cf94e30d44d6981ea9c17aaabd028562 62d1f79acfc9a9024f6f2635c5eb510fd75629fe 98bdd95203d144e31284f580444a131740c0655a 848843db9706ecc054d58615e311b934c6a85c85 87d003ad564f9af193a150ebd19b0e5ae95408a7 cb04abae1fe8db9ab59cbee48fc197112cdadb26 f832d937516839d6acf5c4b62d29a92ad0f39444 82ea0d52b0d64c7a9e53628aa6c8718a73306809 f1b6fe0097d7c7de971dbc74230a626a5fdd94ac 503106c6b348e8d2831fffbde3d582c9b1c5285d 58fc20e10118cbfe3ca010b2967509ee7a4b4a4a 3e22df9e6c10635caab32200e58ea6a7c3c0b01e 083813b635597bb5c5b4d2aea83a734b9a0ab4c8 a87278b69c2a6cb3ade983ee3009e5ecd5f48cf9 57dafb48b1eded228de7352a9e834d62ba253d98 ce588b348db815608fd080261b93b25346666fa2 59e17459b2dc0d7619ebb5327ececd4aa9cf6bfa 2d5fef5e222db7c4215462145268fb7592bf6ad7 c1dd80a0aa853adb74278377f6810b0d5e22aa49 bb154cc15a68540ebb323d88812b464aecc3cee0
This bug was referenced in samba v4-15-test: 9e25ea360119b120001d755f60489b82a2b21847 6bf71b18ce56558ea29059c200bce42e8707f1c1 480c5bc4b9eb8256cf23b9a96b2ebd54a1a7446d 7705aa9a7e2a1becdcdb23b5dc3935227e271fa4 119be11238340d576bb3f15c0c8da4c11034902b b3c42c6e4a4453f4461103f8ef13c9218ce12dd9 1986ab0f5fbac9fa77288e1f60b3fae541666a42 6af91c59d86048a9627c90c95c3607b498b2ebf6 d3298ec2f6627db5f9401d472f1071d50999e14e 13576d8f281e746a9798c1871487873d13c95f40 2cf8ccfbce408ccb9fc4047f97b3eb2c7144349e 9c150303545928a7be31132cc038fd34d1586e34 4474022b37c64abc20ee299fc27dadc144e09de7 28bee539115fce7a61dddb65990ffbee7efdd6f1 9255c680800d021ba4cf6e89611f53e1e9585219 faa133886d67788bb400446865f4e05ec02d38af 32a46d01bb8def508517c32aacc43fdd8bbe5451 ddde2b45c2ea8a6980527104f20cb3f2d622aaa4 6ceab83249bf448f2555ea187f2b5c195ba84c93 ef2edd3f1783196e49ae3266ca392cb76d7b3bc2 1d1097f08c78409a085516e44c395430ceefff6d
This bug was referenced in samba master: de24916a82069d4892c052018596e50fdf7e0ca4 b919246c5523a511ad812c35c1a6b0eb4cc56259 c7e3617cc368bc8c36b4b353e827712b08370e16 5a79fca9682fe1962317d100b581de0b7b123153 7243bd7d388db2dfaa2072f92162d5cee770c6ea 72a2c21f3f51d1b56b41c9401419b69b2c916ddf 8cde23709050533c0da898ca0a1072bca0845890 0a555cf097a5a8d38c7b61edaee838dd0973a989 55752c12cf14b64d981c9a6010ead0fd8d847857 df34c11cbc704270eaccb86fabb16132b37a884f 11540375af181bf41b24ae38daac51e05253d631 ce2930d2d2ddcb40b6d44852aa3409ad6d64bedf efbf0b77d0050faee15b680e5e908357993d869b b6f4d931d088c70c62490fb051ec9ab9f081cd77 45a4a198b81740fe4d81e6459ca90e004ef99efc 510378f94a62313777da09efebf4bf737b23cd55 9235617c637a5ba878dd7d30764326ea58f91e46 13377f0b59e28c7e7b7b6fe922f0b1f1e95042f6 262f59a71f5488dcb8b9a3c5fafdcf21b30affca ae47a7307766014e637e4a539c96316cf0f09108 5f4634310196c6b2c8b097ad41f949a0cccf0ec6
The patches addressing this issue have been pushed to master and security releases made.
Backporting some of the patches for this issue, found on bug 14725 CVE-2020-25722 Ensure the structural objectclass cannot be changed CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify Would be the highest priority.
Removing embargo, vendors who would like to continue to get updates should CC individually. Removing 'private' flag from comment #2. It should be well noted that Samba and Windows have chosen different directions here, but all appropriate notifications have been made.