CVE-2020-25717: Input Validation

First published: Wed Nov 03 2021(Updated: )

A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
Samba Samba	>=3.0.0<4.13.14
Samba Samba	>=4.14.0<4.14.10
Samba Samba	>=4.15.0<4.15.2
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Fedoraproject Fedora	=33
Fedoraproject Fedora	=34
Fedoraproject Fedora	=35
Redhat Codeready Linux Builder
Redhat Gluster Storage	=3.0
Redhat Gluster Storage	=3.5
Redhat Openstack	=13
Redhat Openstack	=16.1
Redhat Openstack	=16.2
Redhat Virtualization	=4.0
Redhat Virtualization Host	=4.0
Redhat Enterprise Linux	=7.0
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux Desktop	=7.0
Redhat Enterprise Linux Eus	=8.2
Redhat Enterprise Linux Eus	=8.4
Redhat Enterprise Linux For Ibm Z Systems	=7.0
Redhat Enterprise Linux For Ibm Z Systems	=8.0
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.2
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.4
Redhat Enterprise Linux For Power Big Endian	=7.0
Redhat Enterprise Linux For Power Little Endian	=7.0
Redhat Enterprise Linux For Power Little Endian	=8.0
Redhat Enterprise Linux For Power Little Endian Eus	=8.2
Redhat Enterprise Linux For Power Little Endian Eus	=8.4
Redhat Enterprise Linux For Scientific Computing	=7.0
Redhat Enterprise Linux Resilient Storage	=7.0
Redhat Enterprise Linux Server	=7.0
Redhat Enterprise Linux Server Aus	=8.2
Redhat Enterprise Linux Server Aus	=8.4
Redhat Enterprise Linux Server Tus	=8.4
Redhat Enterprise Linux Server Update Services For Sap Solutions	=8.2
Redhat Enterprise Linux Server Update Services For Sap Solutions	=8.4
Redhat Enterprise Linux Tus	=8.2
Redhat Enterprise Linux Workstation	=7.0
Canonical Ubuntu Linux	=18.04
Canonical Ubuntu Linux	=20.04
Canonical Ubuntu Linux	=21.04
Canonical Ubuntu Linux	=21.10
redhat/samba	<0:4.10.16-17.el7_9	0:4.10.16-17.el7_9
redhat/samba	<0:4.14.5-7.el8_5	0:4.14.5-7.el8_5
redhat/samba	<0:4.11.2-18.el8_2	0:4.11.2-18.el8_2
redhat/samba	<0:4.13.3-8.el8_4	0:4.13.3-8.el8_4
redhat/samba	<0:4.11.6-114.el7	0:4.11.6-114.el7
redhat/samba	<0:4.14.5-204.el8	0:4.14.5-204.el8
redhat/redhat-virtualization-host	<0:4.3.21-20220126.0.el7_9	0:4.3.21-20220126.0.el7_9
redhat/samba	<4.15.2	4.15.2
redhat/samba	<4.14.10	4.14.10
redhat/samba	<4.13.14	4.13.14
ubuntu/samba	<2:4.7.6+dfsg~ubuntu-0ubuntu2.26	2:4.7.6+dfsg~ubuntu-0ubuntu2.26
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu0.20.04.1	2:4.13.14+dfsg-0ubuntu0.20.04.1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu0.21.04.1	2:4.13.14+dfsg-0ubuntu0.21.04.1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu0.21.10.1	2:4.13.14+dfsg-0ubuntu0.21.10.1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu1	2:4.13.14+dfsg-0ubuntu1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu1	2:4.13.14+dfsg-0ubuntu1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu1	2:4.13.14+dfsg-0ubuntu1
ubuntu/samba	<2:4.13.14+dfsg-0ubuntu1	2:4.13.14+dfsg-0ubuntu1
ubuntu/samba	<4.13.14	4.13.14
debian/samba		2:4.9.5+dfsg-5+deb10u3 2:4.9.5+dfsg-5+deb10u5 2:4.13.13+dfsg-1~deb11u5 2:4.13.13+dfsg-1~deb11u6 2:4.17.12+dfsg-0+deb12u1 2:4.19.5+dfsg-1 2:4.19.6+dfsg-1

Remedy

https://bugzilla.redhat.com/show_bug.cgi?id=2019672

Remedy

Setting "gensec:require_pac=true" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit. It would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg ~~~ samba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password samba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password ~~~ (repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps "admin" for a web-app)

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/nvd-api
collector/redhat-cve
collector/nvd-index
agent/type
agent/last-modified-date
collector/launchpad-cve
source/Launchpad
agent/first-publish-date
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2020-25717
agent/remedy
agent/weakness
agent/severity
agent/references
agent/author
agent/tags
agent/description
agent/event
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/samba
canonical/samba samba
version/samba samba/3.0.0
version/samba samba/4.14.0
version/samba samba/4.15.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/33
version/fedoraproject fedora/34
version/fedoraproject fedora/35
vendor/redhat
canonical/redhat codeready linux builder
canonical/redhat gluster storage
version/redhat gluster storage/3.0
version/redhat gluster storage/3.5
canonical/redhat openstack
version/redhat openstack/13
version/redhat openstack/16.1
version/redhat openstack/16.2
canonical/redhat virtualization
version/redhat virtualization/4.0
canonical/redhat virtualization host
version/redhat virtualization host/4.0
canonical/redhat enterprise linux
version/redhat enterprise linux/7.0
version/redhat enterprise linux/8.0
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/7.0
canonical/redhat enterprise linux eus
version/redhat enterprise linux eus/8.2
version/redhat enterprise linux eus/8.4
canonical/redhat enterprise linux for ibm z systems
version/redhat enterprise linux for ibm z systems/7.0
version/redhat enterprise linux for ibm z systems/8.0
canonical/redhat enterprise linux for ibm z systems eus
version/redhat enterprise linux for ibm z systems eus/8.2
version/redhat enterprise linux for ibm z systems eus/8.4
canonical/redhat enterprise linux for power big endian
version/redhat enterprise linux for power big endian/7.0
canonical/redhat enterprise linux for power little endian
version/redhat enterprise linux for power little endian/7.0
version/redhat enterprise linux for power little endian/8.0
canonical/redhat enterprise linux for power little endian eus
version/redhat enterprise linux for power little endian eus/8.2
version/redhat enterprise linux for power little endian eus/8.4
canonical/redhat enterprise linux for scientific computing
version/redhat enterprise linux for scientific computing/7.0
canonical/redhat enterprise linux resilient storage
version/redhat enterprise linux resilient storage/7.0
canonical/redhat enterprise linux server
version/redhat enterprise linux server/7.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/8.2
version/redhat enterprise linux server aus/8.4
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/8.4
canonical/redhat enterprise linux server update services for sap solutions
version/redhat enterprise linux server update services for sap solutions/8.2
version/redhat enterprise linux server update services for sap solutions/8.4
canonical/redhat enterprise linux tus
version/redhat enterprise linux tus/8.2
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/7.0
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/18.04
version/canonical ubuntu linux/20.04
version/canonical ubuntu linux/21.04
version/canonical ubuntu linux/21.10
package-manager/redhat
package-manager/debian
package-manager/ubuntu

CVE-2020-25717: Input Validation

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact