Bug 2019672 (CVE-2020-25717) - CVE-2020-25717 samba: Active Directory (AD) domain user could become root on domain members
Summary: CVE-2020-25717 samba: Active Directory (AD) domain user could become root on ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25717
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2019673 Red Hat2019674 Red Hat2019675 Red Hat2020165 Red Hat2021168 Red Hat2021169 Red Hat2021171 2021716 2021720 Engineering2021783 Engineering2021784 2027186 Red Hat2048285
Blocks: Embargoed1976705 Red Hat2022016
TreeView+ depends on / blocked
 
Reported: 2021-11-03 04:21 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 09:59 UTC (History)
31 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
Clone Of:
Environment:
Last Closed: 2021-11-29 13:09:43 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0018 0 None None None 2022-01-05 10:32:50 UTC
Red Hat Product Errata RHBA-2022:0019 0 None None None 2022-01-05 10:15:36 UTC
Red Hat Product Errata RHBA-2022:0147 0 None None None 2022-01-17 14:11:20 UTC
Red Hat Product Errata RHSA-2021:4843 0 None None None 2021-11-29 12:36:22 UTC
Red Hat Product Errata RHSA-2021:4844 0 None None None 2021-11-29 12:36:12 UTC
Red Hat Product Errata RHSA-2021:5082 0 None None None 2021-12-13 08:45:29 UTC
Red Hat Product Errata RHSA-2021:5192 0 None None None 2021-12-16 17:12:06 UTC
Red Hat Product Errata RHSA-2022:0008 0 None None None 2022-01-04 08:21:56 UTC
Red Hat Product Errata RHSA-2022:0074 0 None None None 2022-01-11 16:27:38 UTC
Red Hat Product Errata RHSA-2022:0133 0 None None None 2022-01-12 14:38:16 UTC
Red Hat Product Errata RHSA-2022:0443 0 None None None 2022-02-07 10:46:23 UTC
Samba Project 14556 0 None None None 2021-11-03 14:55:58 UTC

Description Huzaifa S. Sidhpurwala 2021-11-03 04:21:43 UTC 
As per upstream advisory:

Windows Active Directory domains have, but default, a feature to allow users to create computer accounts, controlled by ms-DS-MachineAccountQuota.

Likewise, some (presumably trusted) users have the right to create new users or computers in Active Directory Domains, both Samba and Windows based.

When Samba, as an AD Domain member accepts a Kerberos ticket, it must map the information found therein to a local user.  This is done via
the name in the Kerberos PAC, or the name in the ticket (if there is no PAC).

Samba will attempt to find a user "DOMAIN\user" before falling back to just "user".

If the DOMAIN\user lookup can be made to fail, then a privilege escallation is possible.
Comment 4 Huzaifa S. Sidhpurwala 2021-11-10 02:51:55 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021716]
Comment 7 Huzaifa S. Sidhpurwala 2021-11-29 04:40:08 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2027186]
Comment 9 errata-xmlrpc 2021-11-29 12:36:11 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:4844 https://access.redhat.com/errata/RHSA-2021:4844
Comment 10 errata-xmlrpc 2021-11-29 12:36:20 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2021:4843 https://access.redhat.com/errata/RHSA-2021:4843
Comment 11 Product Security DevOps Team 2021-11-29 13:09:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25717
Comment 13 Tomas Hoger 2021-12-01 18:29:28 UTC 
Upstream advisory:
https://www.samba.org/samba/security/CVE-2020-25717.html
Comment 14 errata-xmlrpc 2021-12-13 08:45:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5082 https://access.redhat.com/errata/RHSA-2021:5082
Comment 15 errata-xmlrpc 2021-12-16 17:12:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5192 https://access.redhat.com/errata/RHSA-2021:5192
Comment 16 errata-xmlrpc 2022-01-04 08:21:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0008 https://access.redhat.com/errata/RHSA-2022:0008
Comment 17 errata-xmlrpc 2022-01-11 16:27:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0074 https://access.redhat.com/errata/RHSA-2022:0074
Comment 18 errata-xmlrpc 2022-01-12 14:38:14 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:0133 https://access.redhat.com/errata/RHSA-2022:0133
Comment 20 errata-xmlrpc 2022-02-07 10:46:20 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:0443 https://access.redhat.com/errata/RHSA-2022:0443
Note You need to log in before you can comment on or make changes to this bug.