REDHAT-BUG-2305954
First published: Tue Aug 20 2024(Updated: )
A delegated administrator who can create objects in Active Directory, can write to all attributes in that new object, including after the object is created because they own the object. This includes some security-sensitive attributes (less in Samba that in Windows). Because these rights are due to there being no ACL at creation time and later being the nebulous 'creator owner', the implication that the delegated administrator retains significant rights may not be well understood. Behaviour removing the implicit rights of creating users to write to all attributes is off by default in Samba and Windows (see CVE-2021-42291 ) (As mentioned in the bug, we developed some other protections for this that landed in the other CVEs, which is why this one didn't get the full security notice treatment). The details of how to turn this protection on are at: <a href="https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1">https://support.microsoft.com/en-us/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Active Directory | ||
| Samba |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25720
- agent/severity
- agent/last-modified-date
- agent/references
- agent/type
- agent/event
- agent/first-publish-date
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/microsoft
- canonical/microsoft active directory
- vendor/samba
- canonical/samba