CVE-2020-25717 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Privilege escalation
Description	A security issue has been found in Samba versions 3.0.0 to 4.15.1. Samba may map domain users to local users in an undesired way.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2538	samba	4.15.1-1	4.15.2-1	Medium	Fixed

References
https://www.samba.org/samba/security/CVE-2020-25717.html https://www.samba.org/samba/ftp/patches/security/samba-4.15.1-security-2021-11-09.patch

Notes
Workaround ========== Setting "gensec:require_pac=true" in the smb.conf makes the DOMAIN\user lookup succeed, due to a cache prime in winbind, provided nss_winbind is in use and no error paths are hit. It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password ... (repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app) Setting ms-DS-MachineAccountQuota to 0, in the Active Directory domain is also advised, if possible. The following settings might be additional mitigations (but they have not been explicitly verified yet): 1. The use of the 'invalid users' option, note this needs to be specified in the [global] section, as well as every share with an existing 'invalid users' option, e.g.: invalid users = root, ubuntu 2. The usage of the "obey pam restrictions = yes" together with something like 'account required pam_succeed_if.so quiet uid >= 1000' in the pam configuration for "samba", please consult 'man 8 pam_succeed_if'.

Notes

Workaround
==========

Setting "gensec:require_pac=true" in the smb.conf makes the DOMAIN\user lookup succeed, due to a cache prime in winbind, provided nss_winbind is in use and no error paths are hit.

It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg

 samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password
 ...

(repeat for eg all system users under 1000 in /etc/passwd or special  to any other AD-connected services, eg perhaps "admin" for a web-app)

Setting ms-DS-MachineAccountQuota to 0, in the Active Directory domain is also advised, if possible.

The following settings might be additional mitigations (but they have not been explicitly verified yet):

1. The use of the 'invalid users' option, note this needs to be specified in the [global] section, as well as every share with an existing 'invalid users' option, e.g.:

   invalid users = root, ubuntu

2. The usage of the "obey pam restrictions = yes" together with something like 'account required pam_succeed_if.so quiet uid >= 1000' in the pam configuration for "samba", please consult 'man 8 pam_succeed_if'.