Bug 2019732 (CVE-2020-25719)

Summary: CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, frenaud, ftrivino, gdeschner, hvyas, iboukris, ipa-maint, jcholast, jhrozek, jrivera, jstephen, lmohanty, madam, mhjacks, pfilipen, puebele, pvoborni, rcritten, rhs-smb, sbose, security-response-team, ssorce, tscherf, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-16 18:56:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2021443, 2021444, 2021445, 2021487, 2021488, 2021489, 2021719, 2021720    
Bug Blocks: 1976705, 2022413    

Description Huzaifa S. Sidhpurwala 2021-11-03 09:22:53 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication.  These names are often then used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs. 

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different user.

Comment 2 Huzaifa S. Sidhpurwala 2021-11-10 02:55:32 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2021720]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021719]

Comment 3 errata-xmlrpc 2021-12-15 08:04:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5142 https://access.redhat.com/errata/RHSA-2021:5142

Comment 4 errata-xmlrpc 2021-12-16 17:54:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5195 https://access.redhat.com/errata/RHSA-2021:5195

Comment 5 Product Security DevOps Team 2021-12-16 18:56:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25719

Comment 6 errata-xmlrpc 2022-01-04 08:12:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0007 https://access.redhat.com/errata/RHSA-2022:0007

Comment 7 errata-xmlrpc 2022-01-11 16:05:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0076 https://access.redhat.com/errata/RHSA-2022:0076