CVE-2020-25720: 
Samba vulnerability analysis and mitigation

A vulnerability (CVE-2020-25720) was discovered in Samba's Active Directory implementation where a delegated administrator with permission to create objects can write to all attributes of newly created objects, including security-sensitive attributes, even after object creation. This vulnerability was reported in November 2024 and affects Samba's Active Directory Domain Controller functionality (NVD, Ubuntu).

The vulnerability occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and later being recognized as the 'creator owner.' The CVSS v3.1 base score is 7.5 (High) with the vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network vector, high attack complexity, low privileges required, and high impacts on confidentiality, integrity, and availability (RedHat).

The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks. The vulnerability allows administrators to modify security-sensitive attributes, which could compromise the security of the Active Directory environment (NVD).

Patches for this CVE have been committed to Samba master to be consistent with changes Microsoft introduced, though stable releases were not initially patched. The behavior of removing implicit rights of creating users to write to all attributes is disabled by default in both Samba and Windows (Samba).