CVE-2020-25718: 
Samba vulnerability analysis and mitigation

A vulnerability (CVE-2020-25718) was discovered in Samba's Active Directory Domain Controller functionality, specifically in its handling of Read-Only Domain Controllers (RODC). The flaw affects Samba versions 4.0.0 and later, up until versions 4.13.14, 4.14.10, and 4.15.2. The vulnerability was initially reported by Andrew Bartlett and was publicly disclosed with patches being made available (Samba Advisory).

The vulnerability stems from Samba's failure to properly validate RODC authorization when accepting tickets. Specifically, Samba was not confirming if the RODC was authorized to print tickets via the msDS-NeverRevealGroup and msDS-RevealOnDemandGroup (typically 'Allowed RODC Replication Group' and 'Denied RODC Replication Group'). The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Database).

The vulnerability allows an RODC, which is meant to have minimal privileges in a domain, to print administrator tickets. This effectively bypasses the intended security restrictions on RODCs, potentially leading to privilege escalation and unauthorized administrative access within the domain (Samba Advisory).

The vulnerability has been patched in Samba versions 4.15.2, 4.14.10, and 4.13.14. Administrators are advised to upgrade to these versions or apply the available security patches. The fixes were developed by Andrew Bartlett, Douglas Bagnall, and Joseph Sutton of Catalyst and the Samba Team (Samba Advisory).