Bug 2021728 (CVE-2020-25721) - CVE-2020-25721 samba: Kerberos acceptors need easy access to stableAD identifiers (eg objectSid)
Summary: CVE-2020-25721 samba: Kerberos acceptors need easy access to stableAD identif...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-25721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2021729
Blocks: 1976705
TreeView+ depends on / blocked
 
Reported: 2021-11-10 03:31 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-03-14 12:16 UTC (History)
16 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-11-10 04:27:37 UTC
Embargoed:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-11-10 03:31:32 UTC
As per upstream report:

In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization.

The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software
only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC.

Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
way that can be parsed using basic pointer handling.

From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident
that the ticket represents a specific user, not matter subsequent renames.

This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due
to the gap between time of ticket printing by the KDC and time of ticket acceptance).

Comment 1 Huzaifa S. Sidhpurwala 2021-11-10 03:31:59 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021729]


Note You need to log in before you can comment on or make changes to this bug.