CVE-2020-25719: 
Samba vulnerability analysis and mitigation

A critical vulnerability (CVE-2020-25719) was discovered in Samba's Active Directory Domain Controller implementation of Kerberos name-based authentication. The vulnerability affects Samba versions 4.0.0 and later, where the Samba AD DC could become confused about user ticket representation when not strictly requiring a Kerberos PAC (Privilege Attribute Certificate) and using the SIDs within (Samba Advisory).

The vulnerability stems from the intersection of Kerberos name-based authentication and Windows SID-based authorization systems. At this junction, it's possible to confuse a server into acting as one user while holding a ticket for another. Kerberos tickets may remain valid for extended periods (typically 10 hours or longer) and may or may not carry a PAC containing user SIDs. The vulnerability has a CVSS v3.1 Base Score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Samba Advisory, NVD).

The vulnerability could lead to total domain compromise. Delegated administrators with rights to create user or machine accounts could exploit the race condition between ticket issuance and presentation time to impersonate different accounts, including highly privileged ones (Samba Advisory).

The issue has been fixed in Samba versions 4.15.2, 4.14.10, and 4.13.14. After patching, Samba as an AD DC will always issue a Kerberos PAC in the AD-REQ and require tickets presented back to the DC to have a PAC. Tickets without a Kerberos PAC will be denied after the upgrade. Additionally, Kerberos TCP transport is likely required to connect to the Samba AD DC, as a PAC is unlikely to fit in a UDP packet (Samba Advisory).