Bug 14564 (CVE-2020-25722) - CVE-2020-25722 [SECURITY] AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues)
Summary: CVE-2020-25722 [SECURITY] AD DC UPN vs samAccountName not checked (top-level ...
Status: RESOLVED FIXED
Alias: CVE-2020-25722
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 14833 14562 14703 14706 14753 14775 14776 14778 14832 14876 14889
Blocks: 14725
  Show dependency treegraph
 
Reported: 2020-11-03 21:20 UTC by Andrew Bartlett
Modified: 2021-11-22 09:32 UTC (History)
3 users (show)

See Also:


Attachments
initial advisory (v01) (3.00 KB, text/plain)
2021-11-02 09:06 UTC, Andrew Bartlett
no flags Details
advisory text (v02) (with some special thanks) (3.13 KB, text/plain)
2021-11-02 09:54 UTC, Andrew Bartlett
metze: review+
Details
advisory text (v03) (4.91 KB, text/plain)
2021-11-09 08:00 UTC, Andrew Bartlett
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-11-03 21:20:31 UTC
Samba samldb.c checks do not check if a sAMAccountName would be a duplicate with a userPrincipalName.

That is, sAMAccountName=fred should collide with userPrincipalName=fred@example.com for realm EXAMPLE.COM

Such checks are inherently racy but should still be done on the DC where the originating update is made as in a well-replicating network do provide a significant measure of protection against malicious and accidental activity.

The lack of a cross-check is currently matches Windows behaviour, but may not be desirable.

NOTE WELL: This bug is not for detection of racy creation of such objects per 

https://social.technet.microsoft.com/wiki/contents/articles/15435.active-directory-duplicate-object-name-resolution.aspx
Comment 1 Andrew Bartlett 2021-02-25 08:26:13 UTC
For domains containing windows DCs that implement the MachineAccountQuota this lack of cross-check allows a Denial Of Service as a machine account can 'take over' a UPN that happens to be short enough have the prefix before the @ fit into the samAccountName.

I'm reporting this concern to MS, this bug is to track that we will want to follow up with implementing the same mitigations.
Comment 2 Andrew Bartlett 2021-10-18 16:50:04 UTC
This bug will be used for the CVE for all AD DC validation issues where users with write permission are not sufficiently constrained by either ACLs or other constraints from causing denial of service or privilege escalation via the objects they can write.
Comment 3 Andrew Bartlett 2021-11-02 09:06:09 UTC
Created attachment 16914 [details]
initial advisory (v01)
Comment 4 Andrew Bartlett 2021-11-02 09:54:13 UTC
Created attachment 16916 [details]
advisory text (v02) (with some special thanks)
Comment 5 Andrew Bartlett 2021-11-03 01:43:51 UTC
Opening this bug to vendors.
Comment 6 Andrew Bartlett 2021-11-09 08:00:57 UTC
Created attachment 16977 [details]
advisory text (v03)

I've updated the advisory with much more detail on what the new user-visible restrictions are.
Comment 7 Samba QA Contact 2021-11-09 18:23:20 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

25790f26c6f25306d880fdad089268395a1e5f72
db401161cf94e30d44d6981ea9c17aaabd028562
62d1f79acfc9a9024f6f2635c5eb510fd75629fe
98bdd95203d144e31284f580444a131740c0655a
848843db9706ecc054d58615e311b934c6a85c85
87d003ad564f9af193a150ebd19b0e5ae95408a7
cb04abae1fe8db9ab59cbee48fc197112cdadb26
f832d937516839d6acf5c4b62d29a92ad0f39444
82ea0d52b0d64c7a9e53628aa6c8718a73306809
f1b6fe0097d7c7de971dbc74230a626a5fdd94ac
503106c6b348e8d2831fffbde3d582c9b1c5285d
58fc20e10118cbfe3ca010b2967509ee7a4b4a4a
3e22df9e6c10635caab32200e58ea6a7c3c0b01e
083813b635597bb5c5b4d2aea83a734b9a0ab4c8
a87278b69c2a6cb3ade983ee3009e5ecd5f48cf9
57dafb48b1eded228de7352a9e834d62ba253d98
ce588b348db815608fd080261b93b25346666fa2
59e17459b2dc0d7619ebb5327ececd4aa9cf6bfa
2d5fef5e222db7c4215462145268fb7592bf6ad7
c1dd80a0aa853adb74278377f6810b0d5e22aa49
bb154cc15a68540ebb323d88812b464aecc3cee0
Comment 8 Samba QA Contact 2021-11-09 18:24:22 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.2):

9e25ea360119b120001d755f60489b82a2b21847
6bf71b18ce56558ea29059c200bce42e8707f1c1
480c5bc4b9eb8256cf23b9a96b2ebd54a1a7446d
7705aa9a7e2a1becdcdb23b5dc3935227e271fa4
119be11238340d576bb3f15c0c8da4c11034902b
b3c42c6e4a4453f4461103f8ef13c9218ce12dd9
1986ab0f5fbac9fa77288e1f60b3fae541666a42
6af91c59d86048a9627c90c95c3607b498b2ebf6
d3298ec2f6627db5f9401d472f1071d50999e14e
13576d8f281e746a9798c1871487873d13c95f40
2cf8ccfbce408ccb9fc4047f97b3eb2c7144349e
9c150303545928a7be31132cc038fd34d1586e34
4474022b37c64abc20ee299fc27dadc144e09de7
28bee539115fce7a61dddb65990ffbee7efdd6f1
9255c680800d021ba4cf6e89611f53e1e9585219
faa133886d67788bb400446865f4e05ec02d38af
32a46d01bb8def508517c32aacc43fdd8bbe5451
ddde2b45c2ea8a6980527104f20cb3f2d622aaa4
6ceab83249bf448f2555ea187f2b5c195ba84c93
ef2edd3f1783196e49ae3266ca392cb76d7b3bc2
1d1097f08c78409a085516e44c395430ceefff6d
Comment 9 Samba QA Contact 2021-11-09 18:24:50 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

a65866a6c73ebd3bc98faac57ce652c81f07d8e5
f64fe0b1e749814c76789c58e23e0fb0ef504617
c1973cedbaa5313448a436f86dc4d662efbe497e
3e349608853de8a81af9f8d8f4c8d8221f46de4e
55c6c01a65e6c2343ebf350e4d54d27a64f13faf
47279630f17de392c66f6833f815e9bc39d714d7
5650323f79cbf0dcdd74bc318be589a80000afd1
50f5069a73ac689d3b5fb56fdc652aefb57d396a
26bfddd4390b370f752f8b079947d1b7d109f013
40a3b71e05c110574a422619669657c86f6864d1
38e858b12c128ac31c4f3185425742bae710892c
4b5a370e896c5517946fd1636cc890bb7bca549b
935997b92ebea5941a04c553934e203b33f1d7d7
90957fba9ff7e4653e24912ae584078e43559e5d
4439ac7bb6e8fcb1610fa94923c3daaed3e4c958
9be11622765c060971c4fcc2fba981f760f897d8
b121b1920f996fc9c15ec40a63e7cf4dd7159161
3a4095aec5eb592d4968465930f7fd7e1435e19f
9ac2254c50d34db5a554a2e122f3742c84331a66
26a1bd5cc75ed237c99e147681bde5daae0e61fa
3ed16e74292058d059ae951317ca8d3b7f1f5d0e
Comment 10 Samba QA Contact 2021-11-09 18:47:22 UTC
This bug was referenced in samba v4-13-test:

a65866a6c73ebd3bc98faac57ce652c81f07d8e5
f64fe0b1e749814c76789c58e23e0fb0ef504617
c1973cedbaa5313448a436f86dc4d662efbe497e
3e349608853de8a81af9f8d8f4c8d8221f46de4e
55c6c01a65e6c2343ebf350e4d54d27a64f13faf
47279630f17de392c66f6833f815e9bc39d714d7
5650323f79cbf0dcdd74bc318be589a80000afd1
50f5069a73ac689d3b5fb56fdc652aefb57d396a
26bfddd4390b370f752f8b079947d1b7d109f013
40a3b71e05c110574a422619669657c86f6864d1
38e858b12c128ac31c4f3185425742bae710892c
4b5a370e896c5517946fd1636cc890bb7bca549b
935997b92ebea5941a04c553934e203b33f1d7d7
90957fba9ff7e4653e24912ae584078e43559e5d
4439ac7bb6e8fcb1610fa94923c3daaed3e4c958
9be11622765c060971c4fcc2fba981f760f897d8
b121b1920f996fc9c15ec40a63e7cf4dd7159161
3a4095aec5eb592d4968465930f7fd7e1435e19f
9ac2254c50d34db5a554a2e122f3742c84331a66
26a1bd5cc75ed237c99e147681bde5daae0e61fa
3ed16e74292058d059ae951317ca8d3b7f1f5d0e
Comment 11 Andrew Bartlett 2021-11-09 19:11:16 UTC
The releases are made, removing [EMBARGOED] tag.  The vendor-only restriction will be removed soon once the dust settles.
Comment 12 Samba QA Contact 2021-11-09 19:18:05 UTC
This bug was referenced in samba v4-14-test:

25790f26c6f25306d880fdad089268395a1e5f72
db401161cf94e30d44d6981ea9c17aaabd028562
62d1f79acfc9a9024f6f2635c5eb510fd75629fe
98bdd95203d144e31284f580444a131740c0655a
848843db9706ecc054d58615e311b934c6a85c85
87d003ad564f9af193a150ebd19b0e5ae95408a7
cb04abae1fe8db9ab59cbee48fc197112cdadb26
f832d937516839d6acf5c4b62d29a92ad0f39444
82ea0d52b0d64c7a9e53628aa6c8718a73306809
f1b6fe0097d7c7de971dbc74230a626a5fdd94ac
503106c6b348e8d2831fffbde3d582c9b1c5285d
58fc20e10118cbfe3ca010b2967509ee7a4b4a4a
3e22df9e6c10635caab32200e58ea6a7c3c0b01e
083813b635597bb5c5b4d2aea83a734b9a0ab4c8
a87278b69c2a6cb3ade983ee3009e5ecd5f48cf9
57dafb48b1eded228de7352a9e834d62ba253d98
ce588b348db815608fd080261b93b25346666fa2
59e17459b2dc0d7619ebb5327ececd4aa9cf6bfa
2d5fef5e222db7c4215462145268fb7592bf6ad7
c1dd80a0aa853adb74278377f6810b0d5e22aa49
bb154cc15a68540ebb323d88812b464aecc3cee0
Comment 13 Samba QA Contact 2021-11-09 19:19:46 UTC
This bug was referenced in samba v4-15-test:

9e25ea360119b120001d755f60489b82a2b21847
6bf71b18ce56558ea29059c200bce42e8707f1c1
480c5bc4b9eb8256cf23b9a96b2ebd54a1a7446d
7705aa9a7e2a1becdcdb23b5dc3935227e271fa4
119be11238340d576bb3f15c0c8da4c11034902b
b3c42c6e4a4453f4461103f8ef13c9218ce12dd9
1986ab0f5fbac9fa77288e1f60b3fae541666a42
6af91c59d86048a9627c90c95c3607b498b2ebf6
d3298ec2f6627db5f9401d472f1071d50999e14e
13576d8f281e746a9798c1871487873d13c95f40
2cf8ccfbce408ccb9fc4047f97b3eb2c7144349e
9c150303545928a7be31132cc038fd34d1586e34
4474022b37c64abc20ee299fc27dadc144e09de7
28bee539115fce7a61dddb65990ffbee7efdd6f1
9255c680800d021ba4cf6e89611f53e1e9585219
faa133886d67788bb400446865f4e05ec02d38af
32a46d01bb8def508517c32aacc43fdd8bbe5451
ddde2b45c2ea8a6980527104f20cb3f2d622aaa4
6ceab83249bf448f2555ea187f2b5c195ba84c93
ef2edd3f1783196e49ae3266ca392cb76d7b3bc2
1d1097f08c78409a085516e44c395430ceefff6d
Comment 14 Samba QA Contact 2021-11-09 20:40:02 UTC
This bug was referenced in samba master:

de24916a82069d4892c052018596e50fdf7e0ca4
b919246c5523a511ad812c35c1a6b0eb4cc56259
c7e3617cc368bc8c36b4b353e827712b08370e16
5a79fca9682fe1962317d100b581de0b7b123153
7243bd7d388db2dfaa2072f92162d5cee770c6ea
72a2c21f3f51d1b56b41c9401419b69b2c916ddf
8cde23709050533c0da898ca0a1072bca0845890
0a555cf097a5a8d38c7b61edaee838dd0973a989
55752c12cf14b64d981c9a6010ead0fd8d847857
df34c11cbc704270eaccb86fabb16132b37a884f
11540375af181bf41b24ae38daac51e05253d631
ce2930d2d2ddcb40b6d44852aa3409ad6d64bedf
efbf0b77d0050faee15b680e5e908357993d869b
b6f4d931d088c70c62490fb051ec9ab9f081cd77
45a4a198b81740fe4d81e6459ca90e004ef99efc
510378f94a62313777da09efebf4bf737b23cd55
9235617c637a5ba878dd7d30764326ea58f91e46
13377f0b59e28c7e7b7b6fe922f0b1f1e95042f6
262f59a71f5488dcb8b9a3c5fafdcf21b30affca
ae47a7307766014e637e4a539c96316cf0f09108
5f4634310196c6b2c8b097ad41f949a0cccf0ec6
Comment 15 Andrew Bartlett 2021-11-09 20:54:35 UTC
The patches addressing this issue have been pushed to master and security releases made.
Comment 16 Andrew Bartlett 2021-11-22 03:43:12 UTC
Backporting some of the patches for this issue, found on bug 14725

CVE-2020-25722 Ensure the structural objectclass cannot be changed

CVE-2020-25722 dsdb: Restrict the setting of privileged attributes during LDAP add/modify

Would be the highest priority.
Comment 17 Andrew Bartlett 2021-11-22 09:32:12 UTC
Removing embargo, vendors who would like to continue to get updates should CC individually. 

Removing 'private' flag from comment #2.  It should be well noted that Samba and Windows have chosen different directions here, but all appropriate notifications have been made.