== Subject:     Kerberos acceptors need easy access to stable
==              AD identifiers (eg objectSid)
== CVE ID#:     CVE-2020-25721
== Versions:    All versions of Samba since Samba 4.0.0
== Summary:     Samba as an AD DC now provides a way for Linux
==              applications to obtain a reliable SID (and
==              samAccountName) in issued tickets.


In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
services need access to unique, and ideally long-term stable
identifiers of a user to perform authorization.

The AD PAC provides this, but the most useful information is kept in a
buffer which is NDR encoded, which means that so far in Free Software
only Samba and applications which use Samba components under the hood
like FreeIPA and SSSD decode PAC.

Recognising that the issues seen in Samba are not unique, Samba now
provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
way that can be parsed using basic pointer handling.

From this, future non-Samba based Kerberised applications can easily obtain
the user's SID, in the same packing as objectSID in LDAP, confident
that the ticket represents a specific user, not matter subsequent

This will allow such non-Samba applications to avoid confusing one
Kerberos user for another, even if they have the same string name (due
to the gap between time of ticket printing by the KDC and time of
ticket acceptance).

The protocol deployment weakness, as demonstrated with the
CVE-2020-25717 in Samba when deployed in Active Directory, leaves most
Linux and UNIX applications only to rely on the "client name" from the
Kerberos ticket. When the "client name" as seen by the KDC is under an
attacker control across multiple Kerberos requests, such applications
need an additional information to correlate the client name across
those requests.

Directories where only full administrators can create users are not
the concern, the concern is where that user/computer creation right is
delegated in some way, explicitly or via ms-DS-MachineAccountQuota.

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

A patch has been written for Heimdal Kerberos to use this feature, and
will be published for possible inclusion shortly after Samba's
security relase.

CVSSv3 calculation

The impact of doing authorization with the string Kerberos cname name
varies by accepting application.


It would be prudent to pre-create disabled users in Active Directory
matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 (repeat for eg all system users under 1000 in /etc/passwd or special
 to any other AD-connected services, eg perhaps "admin" for a web-app)

If running a Microsoft Windows Active Directory, Setting
ms-DS-MachineAccountQuota to 0, in the Active Directory domain would
be advised, if possible.

Credits and further reading

Originally reported by Andrew Bartlett.

Patches provided by Andrew Bartlett and Joseph Sutton of Catalyst and
the Samba team.

Andrew wishes to give much thanks to NetSPI for the blog
"MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active
Directory's Oddest Settings" by Kevin Robertson[1], on which the full
horror of MachineAccountQuota became clear.


== Our Code, Our Bugs, Our Responsibility.
== The Samba Team