Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2019732 (CVE-2020-25719) - CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
Summary: CVE-2020-25719 samba: Samba AD DC did not always rely on the SID and PAC in K...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25719
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2021443 2021444 2021445 2021487 2021488 2021489 2021719 2021720
Blocks: 2022413
TreeView+ depends on / blocked
 
Reported: 2021-11-03 09:22 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 09:50 UTC (History)
27 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total domain compromise.
Clone Of:
Environment:
Last Closed: 2021-12-16 18:56:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5142 0 None None None 2021-12-15 08:04:42 UTC
Red Hat Product Errata RHSA-2021:5195 0 None None None 2021-12-16 17:54:22 UTC
Red Hat Product Errata RHSA-2022:0007 0 None None None 2022-01-04 08:12:59 UTC
Red Hat Product Errata RHSA-2022:0076 0 None None None 2022-01-11 16:05:43 UTC

Description Huzaifa S. Sidhpurwala 2021-11-03 09:22:53 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication.  These names are often then used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two authorization schemes it is possible to confuse a server into acting as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10 hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs. 

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different user.

Comment 2 Huzaifa S. Sidhpurwala 2021-11-10 02:55:32 UTC
Created freeipa tracking bugs for this issue:

Affects: fedora-all [bug 2021720]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021719]

Comment 3 errata-xmlrpc 2021-12-15 08:04:40 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5142 https://access.redhat.com/errata/RHSA-2021:5142

Comment 4 errata-xmlrpc 2021-12-16 17:54:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5195 https://access.redhat.com/errata/RHSA-2021:5195

Comment 5 Product Security DevOps Team 2021-12-16 18:56:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25719

Comment 6 errata-xmlrpc 2022-01-04 08:12:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0007 https://access.redhat.com/errata/RHSA-2022:0007

Comment 7 errata-xmlrpc 2022-01-11 16:05:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0076 https://access.redhat.com/errata/RHSA-2022:0076


Note You need to log in before you can comment on or make changes to this bug.