CVE-2020-25717 log

Severity Medium
Remote Yes
Type Privilege escalation
A security issue has been found in Samba versions 3.0.0 to 4.15.1. Samba may map domain users to local users in an undesired way.
Group Package Affected Fixed Severity Status Ticket
AVG-2538 samba 4.15.1-1 4.15.2-1 Medium Fixed

Setting "gensec:require_pac=true" in the smb.conf makes the DOMAIN\user lookup succeed, due to a cache prime in winbind, provided nss_winbind is in use and no error paths are hit.

It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password

(repeat for eg all system users under 1000 in /etc/passwd or special  to any other AD-connected services, eg perhaps "admin" for a web-app)

Setting ms-DS-MachineAccountQuota to 0, in the Active Directory domain is also advised, if possible.

The following settings might be additional mitigations (but they have not been explicitly verified yet):

1. The use of the 'invalid users' option, note this needs to be specified in the [global] section, as well as every share with an existing 'invalid users' option, e.g.:

   invalid users = root, ubuntu

2. The usage of the "obey pam restrictions = yes" together with something like 'account required quiet uid >= 1000' in the pam configuration for "samba", please consult 'man 8 pam_succeed_if'.