CVE-2020-25717: 
Samba vulnerability analysis and mitigation

A critical security flaw (CVE-2020-25717) was discovered in Samba, affecting all versions since Samba 3.0. The vulnerability exists in the way Samba maps domain users to local users when operating as an Active Directory (AD) Domain member. This vulnerability was disclosed in November 2021 and received a CVSS v3.1 base score of 8.1 (HIGH) (Samba Advisory, NVD).

When Samba accepts a Kerberos ticket as an AD Domain member, it must map the information to a local UNIX user-id (uid). The vulnerability stems from Samba's attempt to find a user 'DOMAIN\user' before falling back to trying to find the user 'user'. If the DOMAIN\user lookup fails, a privilege escalation becomes possible. An attacker could create an account named root (by renaming a MachineAccountQuota based machine account) and request a login without a Kerberos PAC. Between obtaining the ticket and presenting it to a server, the attacker could rename the user account, causing Samba to fall back to looking up the local 'root' user, potentially mapping to the privileged UNIX uid of 0 (Samba Advisory).

The vulnerability allows an authenticated attacker to potentially achieve privilege escalation to root access on domain member systems. This could lead to complete system compromise, allowing unauthorized access to sensitive data and system resources (Samba Advisory, NVD).

Several mitigation strategies are available: 1) Set 'gensec:require_pac=true' in smb.conf, 2) Pre-create disabled users in Active Directory matching privileged names, 3) Set ms-DS-MachineAccountQuota to 0 in the Active Directory domain, 4) Use the 'invalid users' option in the [global] section, 5) Enable 'obey pam restrictions = yes' with appropriate PAM configuration. The permanent fix was released in Samba versions 4.15.2, 4.14.10, and 4.13.14 (Samba Advisory).