14950 – (CVE-2022-0336) CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks

Bug 14950 (CVE-2022-0336) - CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks

Summary: CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks

Status:	RESOLVED FIXED

Alias:	CVE-2022-0336

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-01-17 23:29 UTC by Jo Sutton
Modified:	2022-12-16 12:07 UTC (History)
CC List:	3 users (show)

See Also:	14706

Attachments
Patch for master (3.58 KB, patch) 2022-01-18 01:21 UTC, Jo Sutton	dbagnall: review+	Details
Patch for 4.15 (3.58 KB, patch) 2022-01-18 01:22 UTC, Jo Sutton	dbagnall: review+	Details
Patch for 4.14 (3.58 KB, patch) 2022-01-18 01:22 UTC, Jo Sutton	dbagnall: review+	Details
Patch for 4.13 (3.58 KB, patch) 2022-01-18 01:22 UTC, Jo Sutton	dbagnall: review+ jsutton: ci-passed+	Details
Advisory v1 (2.02 KB, text/plain) 2022-01-20 04:01 UTC, Jo Sutton	no flags	Details
Advisory v2 (2.03 KB, text/plain) 2022-01-20 04:11 UTC, Jo Sutton	no flags	Details
advisory v3 (2.04 KB, text/plain) 2022-01-21 01:19 UTC, Douglas Bagnall	no flags	Details
advisory v4 -- with CVE (2.06 KB, text/plain) 2022-01-21 23:39 UTC, Douglas Bagnall	jsutton: review+	Details
4-13 patch v2 (3.70 KB, patch) 2022-01-22 00:03 UTC, Douglas Bagnall	jsutton: review+ jsutton: ci-passed+	Details
4-15 patch v2 (3.70 KB, patch) 2022-01-22 00:03 UTC, Douglas Bagnall	jsutton: review+ jsutton: ci-passed+	Details
4.14 patch v2 (3.70 KB, patch) 2022-01-22 00:04 UTC, Douglas Bagnall	jsutton: review+ jsutton: ci-passed+	Details
master patch v2 (3.70 KB, patch) 2022-01-22 00:07 UTC, Douglas Bagnall	jsutton: review+ dbagnall: ci-passed+	Details
patch for 4.12 with the CVE-2020-25722 patches (3.70 KB, patch) 2022-01-22 00:15 UTC, Douglas Bagnall	jsutton: review+	Details
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jo Sutton 2022-01-17 23:29:50 UTC

The 'samba-tool spn add' command, as well as adding the specified SPN, re-adds any SPNs that already existed on the object. However, re-adding an SPN leads to an early return in samldb_spn_uniqueness_check(), which means checks on subsequent servicePrincipalName elements do not run.

Patch to follow.

Comment 1 Jo Sutton 2022-01-18 01:21:23 UTC

Created attachment 17100 [details]
Patch for master

Comment 2 Jo Sutton 2022-01-18 01:22:01 UTC

Created attachment 17101 [details]
Patch for 4.15

Comment 3 Jo Sutton 2022-01-18 01:22:29 UTC

Created attachment 17102 [details]
Patch for 4.14

Comment 4 Jo Sutton 2022-01-18 01:22:56 UTC

Created attachment 17103 [details]
Patch for 4.13

Comment 5 Douglas Bagnall 2022-01-20 03:58:52 UTC

As with CVE-2020-25722, the CVSSv3.1 looks like

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

Other mitigations might make it more complex and less serious, but I don't think that changes anything at CVSS's granularity.

Comment 6 Jo Sutton 2022-01-20 04:01:19 UTC

Created attachment 17105 [details]
Advisory v1

Added initial advisory text.

Comment 7 Douglas Bagnall 2022-01-20 04:03:41 UTC

Comment on attachment 17105 [details]
Advisory v1

Kees, do you want to be acknowledged for finding the bug, and if so, how?

Currently we have:

> Originally reported by Kees van Vloten

Comment 8 Jo Sutton 2022-01-20 04:11:36 UTC

Created attachment 17106 [details]
Advisory v2

Clarify that this specifically affects the AD DC.

Comment 9 keesvanvloten 2022-01-20 09:39:56 UTC

(In reply to Douglas Bagnall from comment #7)

First time this happens to me :-)
Why not, your suggestion is fine:

"> Originally reported by Kees van Vloten"

Comment 10 Douglas Bagnall 2022-01-21 01:19:57 UTC

Created attachment 17108 [details]
advisory v3

Revised the advisory:

- credit Joseph for analysis and advisory writing.
- add a couple of full stops.

We are still waiting for the CVE number.

Comment 11 Douglas Bagnall 2022-01-21 23:39:07 UTC

Created attachment 17109 [details]
advisory v4 -- with CVE

Comment 12 Douglas Bagnall 2022-01-22 00:03:10 UTC

Created attachment 17110 [details]
4-13 patch v2

Comment 13 Douglas Bagnall 2022-01-22 00:03:49 UTC

Created attachment 17111 [details]
4-15 patch v2

Comment 14 Douglas Bagnall 2022-01-22 00:04:32 UTC

Created attachment 17112 [details]
4.14 patch v2

Comment 15 Douglas Bagnall 2022-01-22 00:07:30 UTC

Created attachment 17113 [details]
master patch v2

v2 patches:
- CVE number
- reviewed-by tag

no code changes.

Comment 16 Douglas Bagnall 2022-01-22 00:15:21 UTC

Created attachment 17114 [details]
patch for 4.12 with the CVE-2020-25722 patches

Add a backport for people who backported the CVE-2020-25722 patches to 4.12.

Comment 17 Douglas Bagnall 2022-01-22 00:23:05 UTC

(In reply to Douglas Bagnall from comment #16)

> Add a backport for people who backported the CVE-2020-25722 patches to 4.12.

The same patch applies to 4.10 with backports.

Comment 18 Douglas Bagnall 2022-01-22 23:46:09 UTC

Samba vendors, release date for this is going to be January 31st.

Comment 19 Samba QA Contact 2022-01-31 12:41:50 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.5):

d392b10c55bbcedda01fdd87fe6035fa3a6986b3
7a516257ea310fa045bdf14e677eaa97f2a83c33

Comment 20 Samba QA Contact 2022-01-31 12:42:51 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.12):

c4d576baaf09c418db6e706a33b8424b0781e5fc
8d0114ea973cfb610c0edf62f11c72ba1b525b03

Comment 21 Jule Anger 2022-01-31 12:53:37 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  
If you wish to continue to be informed about any changes here please CC individually.

Comment 22 Samba QA Contact 2022-01-31 12:55:13 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.17):

7368e0051a320fce48c1f303914b62985a40beb0
2802b7d8f3f77a639d0d69bced528f328655750b

Comment 23 Samba QA Contact 2022-01-31 13:41:36 UTC

This bug was referenced in samba v4-14-test:

c4d576baaf09c418db6e706a33b8424b0781e5fc
8d0114ea973cfb610c0edf62f11c72ba1b525b03

Comment 24 Samba QA Contact 2022-01-31 13:45:09 UTC

This bug was referenced in samba v4-15-test:

d392b10c55bbcedda01fdd87fe6035fa3a6986b3
7a516257ea310fa045bdf14e677eaa97f2a83c33

Comment 25 Samba QA Contact 2022-01-31 13:55:39 UTC

This bug was referenced in samba v4-13-test:

7368e0051a320fce48c1f303914b62985a40beb0
2802b7d8f3f77a639d0d69bced528f328655750b

Comment 26 Samba QA Contact 2022-01-31 15:55:11 UTC

This bug was referenced in samba v4-16-test:

eaede91afd6d171539aa5298644aa5fb107a6341
e4f18bfaec844f261fa03616c9e55924366dfcf9

Comment 27 Samba QA Contact 2022-01-31 16:55:14 UTC

This bug was referenced in samba master:

c58ede44f382bd0125f761f0479c8d48156be400
1a5dc817c0c9379bbaab14c676681b42b0039a3c

Comment 28 Samba QA Contact 2022-01-31 17:07:12 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc2):

eaede91afd6d171539aa5298644aa5fb107a6341
e4f18bfaec844f261fa03616c9e55924366dfcf9

Comment 29 Jule Anger 2022-02-02 09:04:47 UTC

Pushed to all branches.
Closing out bug report.

Thanks!