1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2020-25719.html:</H2>
15 ===========================================================
16 == Subject: Samba AD DC did not always rely on the SID
17 == and PAC in Kerberos tickets.
19 == CVE ID#: CVE-2020-25719
21 == Versions: Samba 4.0.0 and later
23 == Summary: The Samba AD DC, could become confused about
24 == the user a ticket represents if it did not
25 == strictly require a Kerberos PAC and always use
26 == the SIDs found within. The result could include total
28 ===========================================================
34 Samba as an Active Directory Domain Controller is based on Kerberos,
35 which provides name-based authentication. These names are often then
36 used for authorization.
38 However Microsoft Windows and Active Direcory is SID-based. SIDs in
39 Windows, similar to UIDs in Linux/Unix (if managed well) are globally
40 unique and survive name changes. At the meeting of these two
41 authorization schemes it is possible to confuse a server into acting
42 as one user when holding a ticket for another.
44 A Kerberos ticket, once issued, may be valid for some time, often 10
45 hours but potentially longer. In Active Directory, it may or may not
46 carry a PAC, holding the user's SIDs.
48 A simple example of the problem is on Samba's LDAP server, which
49 would, unless "gensec:require_pac = true" was set, permit a fall back
50 to using the name in the Kerberos ticket alone. (All Samba AD
51 services fall to the same issue in one way or another, LDAP is just a
54 Delegated administrators with the right to create other user or
55 machine accounts can abuse the race between the time of ticket issue
56 and the time of presentation (back to the AD DC) to impersonate a
57 different account, including a highly privileged account.
59 This could allow total domain compromise.
65 Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ
66 and require that tickets presented back to the DC have a PAC, both in
67 the KDC and elsewhere.
69 Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg
70 with the --no-request-pac option to MIT kerberos kinit) will be denied
71 after the upgrade, even if they are otherwise still valid.
73 This also means that the Kerberos TCP transport is likely to be
74 required to connect to the Samba AD DC, as a PAC is unlikely to fit in
75 a UDP packet. PAC-free tickets are still supported for target
76 services (eg NFS), via an flag within the PAC preventing it being
77 put into the final ticket.
83 Patches addressing both these issues have been posted to:
85 https://www.samba.org/samba/security/
87 Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
88 as security releases to correct the defect. Samba administrators are
89 advised to upgrade to these releases or apply the patch as soon
96 This CVSSv3 calculation is assuming the other Samba issues are
97 addressed, and user/computer creation is an at least partially
100 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
111 Originally reported by Andrew Bartlett.
114 - Andrew Bartlett of Catalyst and the Samba Team.
115 - Joseph Sutton of Catalyst and the Samba Team
116 - Andreas Schneider of Red Hat and the Samba Team
117 - Stefan Metzmacher of SerNet and the Samba Team
119 Advisory written by Andrew Bartlett of Catalyst
121 Catalyst would like to particularly thank Red Hat and SerNet for their
122 contribution to fixing this issue.
124 ==========================================================
125 == Our Code, Our Bugs, Our Responsibility.
127 ==========================================================