Bug 2019732 (CVE-2020-25719) - CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
Summary: CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in K...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25719
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2021443 2021444 2021445 2021487 2021488 2021489 2021719 2021720
Blocks: 1976705 2022413
TreeView+ depends on / blocked
 
Reported: 2021-11-03 09:22 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 09:50 UTC (History)
27 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
Clone Of:
Environment:
Last Closed: 2021-12-16 18:56:28 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5142 0 None None None 2021-12-15 08:04:42 UTC
Red Hat Product Errata RHSA-2021:5195 0 None None None 2021-12-16 17:54:22 UTC
Red Hat Product Errata RHSA-2022:0007 0 None None None 2022-01-04 08:12:59 UTC
Red Hat Product Errata RHSA-2022:0076 0 None None None 2022-01-11 16:05:43 UTC

Description Huzaifa S. Sidhpurwala 2021-11-03 09:22:53 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication.  These names are often then used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs. 

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different user.

Comment 2 Huzaifa S. Sidhpurwala 2021-11-10 02:55:32 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2021720]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021719]

Comment 3 errata-xmlrpc 2021-12-15 08:04:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5142 https://access.redhat.com/errata/RHSA-2021:5142

Comment 4 errata-xmlrpc 2021-12-16 17:54:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5195 https://access.redhat.com/errata/RHSA-2021:5195

Comment 5 Product Security DevOps Team 2021-12-16 18:56:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25719

Comment 6 errata-xmlrpc 2022-01-04 08:12:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0007 https://access.redhat.com/errata/RHSA-2022:0007

Comment 7 errata-xmlrpc 2022-01-11 16:05:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0076 https://access.redhat.com/errata/RHSA-2022:0076


Note You need to log in before you can comment on or make changes to this bug.