Headline
CVE-2020-25717: Active Directory (AD) domain user could become root on domain members
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
Description Huzaifa S. Sidhpurwala 2021-11-03 04:21:43 UTC
As per upstream advisory:
Windows Active Directory domains have, but default, a feature to allow users to create computer accounts, controlled by ms-DS-MachineAccountQuota.
Likewise, some (presumably trusted) users have the right to create new users or computers in Active Directory Domains, both Samba and Windows based.
When Samba, as an AD Domain member accepts a Kerberos ticket, it must map the information found therein to a local user. This is done via the name in the Kerberos PAC, or the name in the ticket (if there is no PAC).
Samba will attempt to find a user “DOMAIN\user” before falling back to just "user".
If the DOMAIN\user lookup can be made to fail, then a privilege escallation is possible.
Comment 4 Huzaifa S. Sidhpurwala 2021-11-10 02:51:55 UTC
Created samba tracking bugs for this issue:
Affects: fedora-all [bug 2021716]
Comment 7 Huzaifa S. Sidhpurwala 2021-11-29 04:40:08 UTC
Created freeipa tracking bugs for this issue:
Affects: fedora-all [bug 2027186]