Bug 2019732 (CVE-2020-25719) - CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
Summary: CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in K...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25719
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat2021443 Red Hat2021444 Red Hat2021445 Red Hat2021487 Red Hat2021488 Red Hat2021489 2021719 2021720
Blocks: Embargoed1976705 Red Hat2022413
TreeView+ depends on / blocked
 
Reported: 2021-11-03 09:22 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 09:50 UTC (History)
27 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
Clone Of:
Environment:
Last Closed: 2021-12-16 18:56:28 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5142 0 None None None 2021-12-15 08:04:42 UTC
Red Hat Product Errata RHSA-2021:5195 0 None None None 2021-12-16 17:54:22 UTC
Red Hat Product Errata RHSA-2022:0007 0 None None None 2022-01-04 08:12:59 UTC
Red Hat Product Errata RHSA-2022:0076 0 None None None 2022-01-11 16:05:43 UTC

Description Huzaifa S. Sidhpurwala 2021-11-03 09:22:53 UTC 
As per upstream advisory:

Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication.  These names are often then used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs. 

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different user.
Comment 2 Huzaifa S. Sidhpurwala 2021-11-10 02:55:32 UTC 
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2021720]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021719]
Comment 3 errata-xmlrpc 2021-12-15 08:04:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5142 https://access.redhat.com/errata/RHSA-2021:5142
Comment 4 errata-xmlrpc 2021-12-16 17:54:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5195 https://access.redhat.com/errata/RHSA-2021:5195
Comment 5 Product Security DevOps Team 2021-12-16 18:56:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25719
Comment 6 errata-xmlrpc 2022-01-04 08:12:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0007 https://access.redhat.com/errata/RHSA-2022:0007
Comment 7 errata-xmlrpc 2022-01-11 16:05:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0076 https://access.redhat.com/errata/RHSA-2022:0076
Note You need to log in before you can comment on or make changes to this bug.