Bug 14810 (CVE-2020-25720) - CVE-2020-25720 [SECURITY] Create Child permission should not allow full write to all attributes
Summary: CVE-2020-25720 [SECURITY] Create Child permission should not allow full write...
Status: NEW
Alias: CVE-2020-25720
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14781
  Show dependency treegraph
 
Reported: 2021-08-24 07:03 UTC by Andrew Bartlett
Modified: 2022-06-14 00:17 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-08-24 07:03:54 UTC
Microsoft will, as part of this security release, change the ACL model in Windows such that new objects must honour some kind of ACL (details to be determined).

That is, instead of as per MS-ATDS 5.1.3.2 Access Rights
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/990fb975-ab31-4bc1-8b75-5da132cd4584

The new behaviour is likely to be that the ACL will be inherited onto a new object, with any automatic attributes created, then all other changes considered as requiring WP after the fact, just as they would once the object has been created. 

This will include the obvious case of the new object having an ACL in ntSecurityDescriptor in the ADD.
Comment 1 Andrew Bartlett 2021-10-18 16:57:26 UTC
A top level bug 14564 / CVE-2020-25722 will be used for these related issues.
Comment 2 Andrew Bartlett 2021-10-26 22:37:11 UTC
Fixing this has been deferred to master, but we may backport this if we find a condition where this, rather than a per-attribute check, is most appropriate.
Comment 3 Andrew Bartlett 2022-06-14 00:12:23 UTC
Removing embargo.  Patches to address this are public at https://gitlab.com/samba-team/samba/-/merge_requests/2514