8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.1%
In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
services need access to unique, and ideally long-term stable
identifiers of a user to perform authorization.
The AD PAC provides this, but the most useful information is kept in a
buffer which is NDR encoded, which means that so far in Free Software
only Samba and applications which use Samba components under the hood
like FreeIPA and SSSD decode PAC.
Recognising that the issues seen in Samba are not unique, Samba now
provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
way that can be parsed using basic pointer handling.
From this, future non-Samba based Kerberised applications can easily obtain
the user’s SID, in the same packing as objectSID in LDAP, confident
that the ticket represents a specific user, not matter subsequent
renames.
This will allow such non-Samba applications to avoid confusing one
Kerberos user for another, even if they have the same string name (due
to the gap between time of ticket printing by the KDC and time of
ticket acceptance).
The protocol deployment weakness, as demonstrated with the
CVE-2020-25717 in Samba when deployed in Active Directory, leaves most
Linux and UNIX applications only to rely on the “client name” from the
Kerberos ticket. When the “client name” as seen by the KDC is under an
attacker control across multiple Kerberos requests, such applications
need an additional information to correlate the client name across
those requests.
Directories where only full administrators can create users are not
the concern, the concern is where that user/computer creation right is
delegated in some way, explicitly or via ms-DS-MachineAccountQuota.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
A patch has been written for Heimdal Kerberos to use this feature, and
will be published for possible inclusion shortly after Samba’s
security relase.
The impact of doing authorization with the string Kerberos cname name
varies by accepting application.
It would be prudent to pre-create disabled users in Active Directory
matching on all privileged names not held in Active Directory, eg
samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
…
(repeat for eg all system users under 1000 in /etc/passwd or special
to any other AD-connected services, eg perhaps “admin” for a web-app)
If running a Microsoft Windows Active Directory, Setting
ms-DS-MachineAccountQuota to 0, in the Active Directory domain would
be advised, if possible.
Originally reported by Andrew Bartlett.
Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and
the Samba team.
Andrew wishes to give much thanks to NetSPI for the blog
“MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active
Directory’s Oddest Settings” by Kevin Robertson[1], on which the full
horror of MachineAccountQuota became clear.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.1%