Bug 2019764 (CVE-2020-25722)

Summary: CVE-2020-25722 samba: Samba AD DC did not do sufficient access and conformance checking of data stored
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, hvyas, iboukris, jarrpa, jstephen, lmohanty, madam, pfilipen, puebele, rhs-smb, sbose, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14 Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-10 03:21:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2021721    
Bug Blocks: 1976705, 2022415    

Description Huzaifa S. Sidhpurwala 2021-11-03 10:25:35 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP) schema constraints for security.

Some attributes in Samba AD are sensitive, they apply to one object but protect others.

Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server pointed at by this list.  Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of sidHistory would be a similar issue.

This would be limited to users with the right to create users or modify them (typically those who created them), however, due to other flaws, all users are able to create new user objects.

Comment 1 Huzaifa S. Sidhpurwala 2021-11-10 02:57:27 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021721]

Comment 2 Product Security DevOps Team 2021-11-10 03:21:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):