Bug 14950 (CVE-2022-0336) - CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks
Summary: CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks
Status: RESOLVED FIXED
Alias: CVE-2022-0336
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14079
  Show dependency treegraph
 
Reported: 2022-01-17 23:29 UTC by Joseph Sutton
Modified: 2022-02-02 09:04 UTC (History)
3 users (show)

See Also:


Attachments
Patch for master (3.58 KB, patch)
2022-01-18 01:21 UTC, Joseph Sutton
dbagnall: review+
Details
Patch for 4.15 (3.58 KB, patch)
2022-01-18 01:22 UTC, Joseph Sutton
dbagnall: review+
Details
Patch for 4.14 (3.58 KB, patch)
2022-01-18 01:22 UTC, Joseph Sutton
dbagnall: review+
Details
Patch for 4.13 (3.58 KB, patch)
2022-01-18 01:22 UTC, Joseph Sutton
dbagnall: review+
jsutton: ci-passed+
Details
Advisory v1 (2.02 KB, text/plain)
2022-01-20 04:01 UTC, Joseph Sutton
no flags Details
Advisory v2 (2.03 KB, text/plain)
2022-01-20 04:11 UTC, Joseph Sutton
no flags Details
advisory v3 (2.04 KB, text/plain)
2022-01-21 01:19 UTC, Douglas Bagnall
no flags Details
advisory v4 -- with CVE (2.06 KB, text/plain)
2022-01-21 23:39 UTC, Douglas Bagnall
jsutton: review+
Details
4-13 patch v2 (3.70 KB, patch)
2022-01-22 00:03 UTC, Douglas Bagnall
jsutton: review+
jsutton: ci-passed+
Details
4-15 patch v2 (3.70 KB, patch)
2022-01-22 00:03 UTC, Douglas Bagnall
jsutton: review+
jsutton: ci-passed+
Details
4.14 patch v2 (3.70 KB, patch)
2022-01-22 00:04 UTC, Douglas Bagnall
jsutton: review+
jsutton: ci-passed+
Details
master patch v2 (3.70 KB, patch)
2022-01-22 00:07 UTC, Douglas Bagnall
jsutton: review+
dbagnall: ci-passed+
Details
patch for 4.12 with the CVE-2020-25722 patches (3.70 KB, patch)
2022-01-22 00:15 UTC, Douglas Bagnall
jsutton: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Sutton 2022-01-17 23:29:50 UTC
The 'samba-tool spn add' command, as well as adding the specified SPN, re-adds any SPNs that already existed on the object. However, re-adding an SPN leads to an early return in samldb_spn_uniqueness_check(), which means checks on subsequent servicePrincipalName elements do not run.

Patch to follow.
Comment 1 Joseph Sutton 2022-01-18 01:21:23 UTC
Created attachment 17100 [details]
Patch for master
Comment 2 Joseph Sutton 2022-01-18 01:22:01 UTC
Created attachment 17101 [details]
Patch for 4.15
Comment 3 Joseph Sutton 2022-01-18 01:22:29 UTC
Created attachment 17102 [details]
Patch for 4.14
Comment 4 Joseph Sutton 2022-01-18 01:22:56 UTC
Created attachment 17103 [details]
Patch for 4.13
Comment 5 Douglas Bagnall 2022-01-20 03:58:52 UTC
As with CVE-2020-25722, the CVSSv3.1 looks like

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

Other mitigations might make it more complex and less serious, but I don't think that changes anything at CVSS's granularity.
Comment 6 Joseph Sutton 2022-01-20 04:01:19 UTC
Created attachment 17105 [details]
Advisory v1

Added initial advisory text.
Comment 7 Douglas Bagnall 2022-01-20 04:03:41 UTC
Comment on attachment 17105 [details]
Advisory v1

Kees, do you want to be acknowledged for finding the bug, and if so, how?

Currently we have:

> Originally reported by Kees van Vloten
Comment 8 Joseph Sutton 2022-01-20 04:11:36 UTC
Created attachment 17106 [details]
Advisory v2

Clarify that this specifically affects the AD DC.
Comment 9 keesvanvloten 2022-01-20 09:39:56 UTC
(In reply to Douglas Bagnall from comment #7)

First time this happens to me :-)
Why not, your suggestion is fine:

"> Originally reported by Kees van Vloten"
Comment 10 Douglas Bagnall 2022-01-21 01:19:57 UTC
Created attachment 17108 [details]
advisory v3

Revised the advisory:

- credit Joseph for analysis and advisory writing.
- add a couple of full stops.

We are still waiting for the CVE number.
Comment 11 Douglas Bagnall 2022-01-21 23:39:07 UTC
Created attachment 17109 [details]
advisory v4 -- with CVE
Comment 12 Douglas Bagnall 2022-01-22 00:03:10 UTC
Created attachment 17110 [details]
4-13 patch v2
Comment 13 Douglas Bagnall 2022-01-22 00:03:49 UTC
Created attachment 17111 [details]
4-15 patch v2
Comment 14 Douglas Bagnall 2022-01-22 00:04:32 UTC
Created attachment 17112 [details]
4.14 patch v2
Comment 15 Douglas Bagnall 2022-01-22 00:07:30 UTC
Created attachment 17113 [details]
master patch v2

v2 patches:
- CVE number
- reviewed-by tag

no code changes.
Comment 16 Douglas Bagnall 2022-01-22 00:15:21 UTC
Created attachment 17114 [details]
patch for 4.12 with the CVE-2020-25722 patches

Add a backport for people who backported the CVE-2020-25722 patches to 4.12.
Comment 17 Douglas Bagnall 2022-01-22 00:23:05 UTC
(In reply to Douglas Bagnall from comment #16)

> Add a backport for people who backported the CVE-2020-25722 patches to 4.12.

The same patch applies to 4.10 with backports.
Comment 18 Douglas Bagnall 2022-01-22 23:46:09 UTC
Samba vendors, release date for this is going to be January 31st.
Comment 19 Samba QA Contact 2022-01-31 12:41:50 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.5):

d392b10c55bbcedda01fdd87fe6035fa3a6986b3
7a516257ea310fa045bdf14e677eaa97f2a83c33
Comment 20 Samba QA Contact 2022-01-31 12:42:51 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.12):

c4d576baaf09c418db6e706a33b8424b0781e5fc
8d0114ea973cfb610c0edf62f11c72ba1b525b03
Comment 21 Jule Anger 2022-01-31 12:53:37 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  
If you wish to continue to be informed about any changes here please CC individually.
Comment 22 Samba QA Contact 2022-01-31 12:55:13 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.17):

7368e0051a320fce48c1f303914b62985a40beb0
2802b7d8f3f77a639d0d69bced528f328655750b
Comment 23 Samba QA Contact 2022-01-31 13:41:36 UTC
This bug was referenced in samba v4-14-test:

c4d576baaf09c418db6e706a33b8424b0781e5fc
8d0114ea973cfb610c0edf62f11c72ba1b525b03
Comment 24 Samba QA Contact 2022-01-31 13:45:09 UTC
This bug was referenced in samba v4-15-test:

d392b10c55bbcedda01fdd87fe6035fa3a6986b3
7a516257ea310fa045bdf14e677eaa97f2a83c33
Comment 25 Samba QA Contact 2022-01-31 13:55:39 UTC
This bug was referenced in samba v4-13-test:

7368e0051a320fce48c1f303914b62985a40beb0
2802b7d8f3f77a639d0d69bced528f328655750b
Comment 26 Samba QA Contact 2022-01-31 15:55:11 UTC
This bug was referenced in samba v4-16-test:

eaede91afd6d171539aa5298644aa5fb107a6341
e4f18bfaec844f261fa03616c9e55924366dfcf9
Comment 27 Samba QA Contact 2022-01-31 16:55:14 UTC
This bug was referenced in samba master:

c58ede44f382bd0125f761f0479c8d48156be400
1a5dc817c0c9379bbaab14c676681b42b0039a3c
Comment 28 Samba QA Contact 2022-01-31 17:07:12 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.0rc2):

eaede91afd6d171539aa5298644aa5fb107a6341
e4f18bfaec844f261fa03616c9e55924366dfcf9
Comment 29 Jule Anger 2022-02-02 09:04:47 UTC
Pushed to all branches.
Closing out bug report.

Thanks!