This bug is created to have a single place where the final patch set for Andrew's Kerberos Concerns will land
Created attachment 16894 [details] patch for master (WIP) v1 This WIP patch for master will be further cleaned up, but this is to help vendors understand the full scope of the patch set, and prepare.
Created attachment 16895 [details] patch from master backported to 4.15 (only) (WIP) v1
Created attachment 16896 [details] patch from master backported to 4.14 (only) (WIP) v1
Created attachment 16897 [details] patch from master backported to 4.13 (only) (WIP) v1
G'Day Vendors, The Samba Team is preparing a security release for Nov 9 2021. A number of bugs will be fixed (with patches on those bugs, which you will be notified individually on), but one is very important, being bug 14725: "Andrew's Kerberos concerns". (That bug won't be opened up even to vendors, so the patches are here). The issue is a name confusion attack on the Kerberos protocol, where the name-based authorization nature of Kerberos is used against itself and those who rely on it. The problem is that in Active Directory in general the SID is the stable identifier, not the name. Provided only highly privileged users can modify AD that would be equivalent, and safe. However in Windows AD (not supported in Samba AD) it is typical that all authenticated users can create accounts, and in both Windows AD and Samba AD it is typical to delegate these rights beyond full Domain Administrators, as an exercise in 'least privilege' operation. The consequences are very serious. On a file server we can find domain users mapped to "root", and on the AD DC this likewise leads to a full domain compromise. Given this, even in this private forum I'm keeping the details here deliberately vague. CVSS3.1 scores are up to 8.1 for the domain member case (assuming membership of Windows AD domain) and 7.2 for the AD DC. We have addressed these issues, and in doing so found and fixed other similar issues. I note that these patch sets are very large, because they include a comprehensive testsuite, and so you should not attempt a backport to other versions without professional support. Futhermore, the patches build on the Samba 4.13.13, Samba 4.14.9 and 4.15.1 releases, which include many of the already public patches on which they depend. The WIP patches here are almost final, pending some final review an additional fix and some additional tests. We upload these today to give you a heads up so you can plan properly. We expect to give final patches around 7 days before the release, eg before Nov 3, 2021, alongside our customary public warning. We realise this isn't much time, and do apologise in advance. Andrew Bartlett Samba Team
> CVSS3.1 scores are up to 8.1 for the domain member case (assuming membership of Windows AD domain) and 7.2 for the AD DC. Would this mean a samba file server (with its AD-DC feature disabled at build) which becomes a member of Windows AD domain also get impacted?
(In reply to Nagendra.V.S from comment #8) Yes. There are codepaths in the Samba Fileserver were we can be confused into relying on the name, not the user's SID, and so users created on the domain via MachineAccountQuota can become root.
I can provide a mapping of CVEs: File server: 14556: CVE-2020-25717 [SECURITY][EMBARGOED] A user on the domain can become root on domain members AD DC (sub-parts ranging from DoS to a full domain compromise): 14557: CVE-2020-25721 14558: CVE-2020-25718 14561: CVE-2020-25719 14564: CVE-2020-25722
I warned backporting the full patch set to earlier releases is hard, and so far I've got a WIP branch, focussed on the DC only, back to 4.12, but haven't tried earlier versions. The hard part is the testsuite, for the fileserver issue CVE-2020-25717 the C changes are simpler, but still may not be simple. If folks do (ideally with help) select out these patches, which are marked with CVE-2020-25717, and manage a successful backport earlier than 4.13 do post them here for others. The Samba Team will upload fixed Samba 4.13 and 4.14 patches shortly, these have been prepared in another place as the v1 patches fail tests. What I would say is that setting "gensec:require_pac = true" in the smb.conf will, in some AD domain member situations that use winbindd provide a measure of protection. (This is not a full security evaluation, but if you simply can't patch, this will be listed as a mitigation). This is assuming the deployment is not an installation in a MIT-style Kerberos realm (these are quite rare).
fwiw the referenced bugs are not open to vendors yet
(In reply to Marcus Meissner from comment #12) yes, the bugs in the commits won't be open for some time. Sorry about that, we need to send time to redact them. Just the bugs directly under this will be open, except 14725 (for the same reason). You may of course ask questions here, and I'll answer as best as I can.
I'm sorry to report, but due to what will be opened as bug 14889 the CVSSv3.1 for the AD DC has been raised to AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8). We are very sorry.
Created attachment 16909 [details] Andrew's Kerberos Concerns patch for master (WIP) v9 (awaiting final reviews)
Created attachment 16910 [details] Full patch for master (WIP) v9 (awaiting final reviews)
Created attachment 16911 [details] Full patch for master v10, reviewed. At this stage I'll just post the full patches to avoid confusion.
Created attachment 16912 [details] Full patch for master v10, reviewed and backported to 4.15
Thank you for your patience vendors. We have a final patch set which has past CI for master, 4.15, 4.14 and 4.13. I need to spend today marking those up with the correct tags and then I'll upload here. To ease packaging, a new ldb release will be made where needed for 4.14 and 4.13, as I know for many these need to be packaged separately. They will have the changes needed by this release.
(In reply to Andrew Bartlett from comment #19) All CVE advisory texts have been written, except for CVE-2020-25721 which is more about an impact on other services, and needs action by those services anyway. I'll finish that shortly but otherwise you should be able to find a useful description of the issues in those now. See the Depends and see also for links.
Created attachment 16927 [details] security-2021-11-master-v12-bug14725.patches.txt This contains patches for all CVEs behind bug #14725: CVE-2020-25717 CVE-2020-25721 CVE-2020-25718 CVE-2020-25719 CVE-2020-25722
Comment on attachment 16927 [details] security-2021-11-master-v12-bug14725.patches.txt I'll move this to bug14725...
Comment on attachment 16896 [details] patch from master backported to 4.14 (only) (WIP) v1 I'll upload the current version to bug #14725
Comment on attachment 16897 [details] patch from master backported to 4.13 (only) (WIP) v1 I'll upload an updated version to bug #14725
Comment on attachment 16912 [details] Full patch for master v10, reviewed and backported to 4.15 I'll upload an updated version to bug #14725
For the November 9th release you need the patchsets from the following 4 bug reports: https://bugzilla.samba.org/show_bug.cgi?id=14725 https://bugzilla.samba.org/show_bug.cgi?id=14875 https://bugzilla.samba.org/show_bug.cgi?id=14468 https://bugzilla.samba.org/show_bug.cgi?id=12444
The release will happen around 18:00 UTC November 9th.
The backported patches to v4.12 were tested and passed CI after being applied in this order: https://bugzilla.samba.org/show_bug.cgi?id=14725 https://bugzilla.samba.org/show_bug.cgi?id=14875 https://bugzilla.samba.org/show_bug.cgi?id=12444 https://bugzilla.samba.org/show_bug.cgi?id=14468
The releases are made, removing [EMBARGOED] tag. The vendor-only restriction will be removed soon once the dust settles.
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. These are the "other issues" part of the big release we just made, the remainder are private for a little longer. If you wish to continue to be informed about any changes here please CC individually.