CVE-2020-25721: 
Samba vulnerability analysis and mitigation

CVE-2020-25721 affects Samba, specifically all versions since Samba 4.0.0. The vulnerability relates to Kerberos acceptors needing access to stable Active Directory (AD) identifiers. As a response, Samba as an AD DC implemented a way for Linux applications to obtain reliable SID (Security Identifier) and samAccountName in issued tickets (Samba Security).

The vulnerability stems from the need for AD Kerberos accepting services to access unique and long-term stable identifiers for user authorization. While the AD PAC (Privilege Attribute Certificate) provides this information, it was previously kept in an NDR encoded buffer, limiting access to only Samba and applications using Samba components. The solution involves providing an extension to UPN_DNS_INFO, a component of the AD PAC, that can be parsed using basic pointer handling. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD Database).

The vulnerability affects authorization processes in Kerberized applications. Without proper access to stable identifiers, applications might confuse one Kerberos user for another, even if they have the same string name, due to the gap between ticket printing by the KDC and ticket acceptance. This is particularly concerning in environments where user/computer creation rights are delegated or where ms-DS-MachineAccountQuota is in use (Samba Security).

The issue has been fixed in Samba versions 4.15.2, 4.14.10, and 4.13.14. As a workaround, it is recommended to pre-create disabled users in Active Directory matching all privileged names not held in Active Directory. For Microsoft Windows Active Directory environments, setting ms-DS-MachineAccountQuota to 0 is advised where possible (Samba Security).