Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2019764 (CVE-2020-25722) - CVE-2020-25722 samba: Samba AD DC did not do sufficient access and conformance checking of data stored
Summary: CVE-2020-25722 samba: Samba AD DC did not do sufficient access and conformanc...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-25722
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2021721
Blocks: 2022415
TreeView+ depends on / blocked
 
Reported: 2021-11-03 10:25 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-11-11 15:14 UTC (History)
17 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored data. An attacker could use this flaw to cause total domain compromise.
Clone Of:
Environment:
Last Closed: 2021-11-10 03:21:41 UTC
Embargoed:


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-11-03 10:25:35 UTC
As per upstream advisory:

Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP) schema constraints for security.

Some attributes in Samba AD are sensitive, they apply to one object but protect others.

Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server pointed at by this list.  Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of sidHistory would be a similar issue.

This would be limited to users with the right to create users or modify them (typically those who created them), however, due to other flaws, all users are able to create new user objects.

Comment 1 Huzaifa S. Sidhpurwala 2021-11-10 02:57:27 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021721]

Comment 2 Product Security DevOps Team 2021-11-10 03:21:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25722


Note You need to log in before you can comment on or make changes to this bug.