{
  "threat_severity" : "Important",
  "public_date" : "2021-11-09T00:00:00Z",
  "bugzilla" : {
    "description" : "samba: Active Directory (AD) domain user could become root on domain members",
    "id" : "2019672",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2019672"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.", "A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation." ],
  "acknowledgement" : "Red Hat would like to thank Andrew Bartlett (Catalyst and the Samba Team) and the Samba project for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-12-16T00:00:00Z",
    "advisory" : "RHSA-2021:5192",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "samba-0:4.10.16-17.el7_9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-12-13T00:00:00Z",
    "advisory" : "RHSA-2021:5082",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "samba-0:4.14.5-7.el8_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-12-13T00:00:00Z",
    "advisory" : "RHSA-2021:5082",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "samba-0:4.14.5-7.el8_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2022-01-11T00:00:00Z",
    "advisory" : "RHSA-2022:0074",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.2",
    "package" : "samba-0:4.11.2-18.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support",
    "release_date" : "2022-01-04T00:00:00Z",
    "advisory" : "RHSA-2022:0008",
    "cpe" : "cpe:/o:redhat:rhel_eus:8.4",
    "package" : "samba-0:4.13.3-8.el8_4"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 7",
    "release_date" : "2021-11-29T00:00:00Z",
    "advisory" : "RHSA-2021:4844",
    "cpe" : "cpe:/a:redhat:storage:3.5:samba:el7",
    "package" : "samba-0:4.11.6-114.el7rhgs"
  }, {
    "product_name" : "Red Hat Gluster Storage 3.5 for RHEL 8",
    "release_date" : "2021-11-29T00:00:00Z",
    "advisory" : "RHSA-2021:4843",
    "cpe" : "cpe:/a:redhat:storage:3.5:samba:el8",
    "package" : "samba-0:4.14.5-204.el8rhgs"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 7",
    "release_date" : "2022-02-07T00:00:00Z",
    "advisory" : "RHSA-2022:0443",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7::hypervisor",
    "package" : "redhat-virtualization-host-0:4.3.21-20220126.0.el7_9"
  }, {
    "product_name" : "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8",
    "release_date" : "2022-01-12T00:00:00Z",
    "advisory" : "RHSA-2022:0133",
    "cpe" : "cpe:/o:redhat:rhev_hypervisor:4.4::el8",
    "package" : "redhat-virtualization-host-0:4.4.9-202201072228_8.5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "samba4",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "samba",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-25717\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25717\nhttps://www.samba.org/samba/security/CVE-2020-25717.html" ],
  "name" : "CVE-2020-25717",
  "mitigation" : {
    "value" : "Setting \"gensec:require_pac=true\" in the smb.conf makes, due to a cache prime in winbind, the DOMAIN\\user lookup succeed, provided nss_winbind is in use, 'winbind use default domain = no' (the default) and no error paths are hit.  \nIt would be prudent to pre-create disabled users in Active Directory matching on all privileged names not held in Active Directory, eg \n~~~\nsamba-tool user add root -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password\nsamba-tool user add ubuntu -H ldap://$SERVER -U$USERNAME%$PASSWORD --random-password\n~~~\n(repeat for eg all system users under 1000 in /etc/passwd or special to any other AD-connected services, eg perhaps \"admin\" for a web-app)",
    "lang" : "en:us"
  },
  "csaw" : false
}