Bug 2019764 (CVE-2020-25722) - CVE-2020-25722 samba: Samba AD DC did not do sufficient access and conformance checking of data stored
Summary: CVE-2020-25722 samba: Samba AD DC did not do sufficient access and conformanc...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-25722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2021721
Blocks: 2022415 1976705
TreeView+ depends on / blocked
 
Reported: 2021-11-03 10:25 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-11-11 15:14 UTC (History)
17 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
Clone Of:
Environment:
Last Closed: 2021-11-10 03:21:41 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-11-03 10:25:35 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP) schema constraints for security.

Some attributes in Samba AD are sensitive, they apply to one object but protect others.

Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server pointed at by this list.  Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of sidHistory would be a similar issue.

This would be limited to users with the right to create users or modify them (typically those who created them), however, due to other flaws, all users are able to create new user objects.

Comment 1 Huzaifa S. Sidhpurwala 2021-11-10 02:57:27 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021721]

Comment 2 Product Security DevOps Team 2021-11-10 03:21:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25722


Note You need to log in before you can comment on or make changes to this bug.