Bug 2305954 (CVE-2020-25720)

Summary: CVE-2020-25720 samba: check attribute access rights for LDAP adds of computers
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gdeschner, nobody, rhs-smb
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the 'creator owner.' The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dhananjay Arunesh 2024-08-20 07:40:44 UTC 
A delegated administrator who can create objects in Active Directory, can write to all attributes in that new object, including after the object is created because they own the object.  This includes some security-sensitive attributes (less in Samba that in Windows).

Because these rights are due to there being no ACL at creation time and later being the nebulous 'creator owner', the implication that the delegated administrator retains significant rights may not be well understood. 

Behaviour removing the implicit rights of creating users to write to all attributes is off by default in Samba and Windows (see CVE-2021-42291 
)

(As mentioned in the bug, we developed some other protections for this that landed in the other CVEs, which is why this one didn't get the full security notice treatment). 

The details of how to turn this protection on are at:
https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
Comment 1 Guenther Deschner 2024-08-22 19:54:04 UTC 
As outlined in https://access.redhat.com/security/cve/CVE-2020-25720 this is a Samba AD only problem and Samba AD is not built in any Red Hat product and thus this CVE is not relevant for RHEL or RHGS at all.