Recently fix pack updates were released for various Samba versions, which were the versions 4.15.2, 4.14.10 and 4.13.14, they implemented changes that include the elimination of 8 vulnerabilities, most of which can lead to a complete compromise of the Active Directory domain.
It should be noted that one of the issues was fixed in 2016, and five, as of 2020, although one fix resulted in the inability to run winbindd in the presence settings «allow trusted domains = no»(The developers intend to immediately release another update for repair).
These functions can be quite dangerous in the wrong hands, as the user qWhoever creates such accounts has extensive privileges not only to create them and set their passwords, but to rename them at a later time with the only restriction is that they may not match an existing samAccountName.
When Samba acts as a member of the AD domain and accepts a Kerberos ticket, it must map the information found there to a local UNIX user ID (uid). This is currently done via account name in Active Directory Generated Kerberos Privileged Attribute Certificate (PAC), or the account name on ticket (if there is no PAC).
For example, Samba will try to find a user "DOMAIN \ user" before resorting to trying to find the user "user". If the search for DOMAIN \ user can fail, then a privilege climbing is possible.
For those unfamiliar with Samba, you should know that this is a project that continues the development of the Samba 4.x branch with a full implementation of a domain controller and Active Directory service, compatible with the Windows 2000 implementation and capable to serve all versions of Windows clients supported by Microsoft, including Windows 10.
Samba 4, is a multifunctional server product, which also provides the implementation of a file server, print service and authentication server (winbind).
Of the vulnerabilities that were eliminated in the released updates, the following are mentioned:
- CVE-2020-25717- Due to a flaw in the logic of mapping domain users to local system users, an Active Directory domain user who has the ability to create new accounts on their system, managed through ms-DS-MachineAccountQuota, could gain root access to other systems included in the domain.
- CVE-2021-3738- Access to a memory area already freed (Use after free) in the Samba AD DC RPC (dsdb) server implementation, which can potentially lead to privilege escalation when manipulating connection settings.
CVE-2016-2124- Client connections established using the SMB1 protocol could be passed to transmitting authentication parameters in plain text or using NTLM (for example, to determine credentials for MITM attacks), even if the user or application is configured as authentication Mandatory through Kerberos. - CVE-2020-25722- Adequate storage access checks were not performed on a Samba-based Active Directory domain controller, allowing any user to bypass credentials and completely compromise the domain.
- CVE-2020-25718- Kerberos tickets issued by the RODC (read-only domain controller) were not properly isolated to the Samba-based Active Directory domain controller, which could be used to obtain administrator tickets from the RODC without having the authority to do so that.
- CVE-2020-25719- Samba based Active Directory domain controller did not always take into account SID and PAC fields in Kerberos tickets in package (when setting "gensec: require_pac = true", only name and PAC not taken in account), which allowed the user, who has the right to create accounts on the local system, to impersonate another domain user, including a privileged one.
- CVE-2020-25721: For users authenticated using Kerberos, unique identifiers for Active Directory (objectSid) were not always issued, which could lead to user-user intersections.
- CVE-2021-23192- During the MITM attack, it was possible to spoof fragments in large DCE / RPC requests that were split into multiple parts.
Finally, if you are interested in knowing more about it, you can consult the details in the following link.