Bug 14810 (CVE-2020-25720) - CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes
Summary: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write...
Status: RESOLVED FIXED
Alias: CVE-2020-25720
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14781
  Show dependency treegraph
 
Reported: 2021-08-24 07:03 UTC by Andrew Bartlett
Modified: 2023-10-02 23:11 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-08-24 07:03:54 UTC 
Microsoft will, as part of this security release, change the ACL model in Windows such that new objects must honour some kind of ACL (details to be determined).

That is, instead of as per MS-ATDS 5.1.3.2 Access Rights
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/990fb975-ab31-4bc1-8b75-5da132cd4584

The new behaviour is likely to be that the ACL will be inherited onto a new object, with any automatic attributes created, then all other changes considered as requiring WP after the fact, just as they would once the object has been created. 

This will include the obvious case of the new object having an ACL in ntSecurityDescriptor in the ADD.
Comment 1 Andrew Bartlett 2021-10-18 16:57:26 UTC 
A top level bug 14564 / CVE-2020-25722 will be used for these related issues.
Comment 2 Andrew Bartlett 2021-10-26 22:37:11 UTC 
Fixing this has been deferred to master, but we may backport this if we find a condition where this, rather than a per-attribute check, is most appropriate.
Comment 3 Andrew Bartlett 2022-06-14 00:12:23 UTC 
Removing embargo.  Patches to address this are public at https://gitlab.com/samba-team/samba/-/merge_requests/2514
Comment 4 Samba QA Contact 2022-09-16 03:32:03 UTC 
This bug was referenced in samba master:

cbbf3fd7412ba073b26b0d0a32fe25b343fed5ca
890d2c5cf5d47758b5429f87a064f04512ff7136
0af5706b559e89c77123ed174b41fd3d01705aa5
cc709077822a39227174b91ed2345c2bd603f61f
2563f85237bd4260b7b527f3695f27da4cc61a74
c2761a47fd12cc2a79a02707ed9d778e496b1fd4
0e1d8929f872708e79edf802e5d2ff847c9b3ee5
08187833fee57a8dba6c67546dfca516cd1f9d7a
6dc6ca56bd517a5cba85bb4ec120fcfb5feadfb8
72b8e98252b0231868f04d40456459057126980c
5073d5997cb1d7f654423655e0d1eeb117bdab38
acc9999a08f12d5bff6edb631a9515fe7e5087c3
95fe9659574337234616625fc32d5f00035ae7c9
cc64ea24daa649dc8de4a212c7abfbe111095655
Comment 5 Samba QA Contact 2023-03-29 14:29:42 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.7):

b7af8aa2552e0690aac58fb98e3134b71f678ece
307b2e65d51903f6805460a2633ebe809d4052ab
Comment 6 Samba QA Contact 2023-03-29 14:36:19 UTC 
This bug was referenced in samba v4-17-test:

b7af8aa2552e0690aac58fb98e3134b71f678ece
307b2e65d51903f6805460a2633ebe809d4052ab
Comment 7 Samba QA Contact 2023-03-30 16:11:31 UTC 
This bug was referenced in samba v4-17-test:

3ecdec683b60cf100b1c031841b709c91191c8f2
Comment 8 Samba QA Contact 2023-05-11 07:09:33 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.8):

3ecdec683b60cf100b1c031841b709c91191c8f2