CVE-2020-25720 Overview
A privilege escalation vulnerability was discovered in Samba where a delegated administrator with permission to create objects in Active Directory can write to all attributes of the newly created object, including security-sensitive attributes, even after the object's creation. This issue occurs because the administrator owns the object due to the lack of an Access Control List (ACL) at the time of creation and is later recognized as the 'creator owner.' The retained significant rights of the delegated administrator may not be well understood, potentially leading to unintended privilege escalation or security risks.
Critical Impact
Delegated administrators can retain elevated privileges over created Active Directory objects, potentially allowing unauthorized modification of security-sensitive attributes and privilege escalation within Samba-based Active Directory environments.
Affected Products
- Samba (Active Directory Domain Controller mode)
- Samba-based Active Directory implementations
- Systems utilizing Samba AD delegation features
Discovery Timeline
- 2024-11-17 - CVE-2020-25720 published to NVD
- 2024-11-18 - Last updated in NVD database
Technical Details for CVE-2020-25720
Vulnerability Analysis
This vulnerability resides in how Samba handles Access Control Lists (ACLs) during Active Directory object creation. When a delegated administrator creates an object in Active Directory, the newly created object lacks a properly defined ACL at the moment of instantiation. As a result, the creating administrator is automatically designated as the object owner and recognized as the "creator owner."
The core issue stems from the fact that the delegated administrator retains significant write permissions to all attributes of the created object, including security-sensitive attributes that should normally be restricted. This behavior persists even after the initial object creation phase is complete, which violates the principle of least privilege that should govern delegated administrative access.
The vulnerability is particularly concerning because delegated administrators are typically granted limited permissions for specific administrative tasks. The unintended retention of broad write access to security-sensitive attributes can be exploited to escalate privileges or modify critical security configurations within the Active Directory environment.
Root Cause
The root cause is classified under CWE-264 (Permissions, Privileges, and Access Controls). The vulnerability exists because Samba fails to properly restrict the permissions granted to delegated administrators after object creation. Specifically, the lack of an ACL at the time of object creation causes the delegated administrator to be assigned as the "creator owner," which grants persistent elevated privileges that extend beyond the intended scope of delegation.
Attack Vector
An attacker with delegated administrator privileges can exploit this vulnerability through the network without user interaction. The attack requires low privileges (delegated admin access) but has high complexity due to the specific conditions required. The exploitation scenario involves:
- An attacker obtains or already possesses delegated administrator credentials with object creation rights
- The attacker creates a new Active Directory object (user, group, or computer)
- Due to the missing ACL during creation, the attacker becomes the "creator owner"
- The attacker then modifies security-sensitive attributes of the created object
- These modifications can include setting elevated group memberships, modifying security identifiers, or altering access control settings
The vulnerability allows modification of attributes that should be protected by proper ACL enforcement, potentially enabling lateral movement or privilege escalation within the domain.
Detection Methods for CVE-2020-25720
Indicators of Compromise
- Unusual attribute modifications on recently created Active Directory objects by delegated administrators
- Changes to security-sensitive attributes (such as userAccountControl, memberOf, or servicePrincipalName) on objects created by non-Domain Admin accounts
- Audit logs showing delegated administrators modifying attributes beyond their intended scope
- Unexpected changes to group memberships or security descriptors on newly created objects
Detection Strategies
- Enable and monitor Active Directory object creation and modification audit logs for delegated administrator accounts
- Implement security monitoring rules to detect when delegated administrators modify security-sensitive attributes on objects they created
- Review Active Directory ACLs periodically to identify objects where creator owners have excessive permissions
- Deploy endpoint detection solutions to monitor Samba Domain Controller activities for privilege escalation patterns
Monitoring Recommendations
- Configure Samba audit logging to capture all object creation and attribute modification events
- Implement SIEM rules to correlate delegated administrator activity with security-sensitive attribute changes
- Monitor for deviations from normal delegated administrator behavior patterns using baseline analysis
- Enable verbose logging on Samba AD DC servers to track ACL assignments during object lifecycle
How to Mitigate CVE-2020-25720
Immediate Actions Required
- Review all delegated administrator accounts and their current permissions within Active Directory
- Audit recently created objects to verify their ACLs are properly configured and no unauthorized modifications have occurred
- Consider temporarily restricting object creation privileges for delegated administrators until patches are applied
- Implement additional monitoring on delegated administrator accounts to detect potential exploitation attempts
Patch Information
Organizations should monitor the Red Hat CVE-2020-25720 Advisory and the Red Hat Bug Report #2305954 for updates on available patches and fixes. Apply vendor-supplied security updates as soon as they become available for your Samba installation.
Workarounds
- Manually review and correct ACLs on all objects created by delegated administrators to remove excessive permissions
- Implement post-creation scripts that automatically apply restrictive ACLs to newly created objects
- Reduce the scope of delegation by limiting which object types delegated administrators can create
- Consider using separate service accounts with tightly scoped permissions rather than broad delegated admin accounts
- Implement organizational units (OUs) with explicit deny ACEs to limit the impact of creator owner permissions
# Configuration example - Review delegated admin permissions
# Use samba-tool to audit object permissions
samba-tool delegation show <delegation-name>
# Review ACLs on specific objects
samba-tool dsacl get --objectdn="CN=TestUser,CN=Users,DC=domain,DC=local"
# Consider implementing delegation with explicit deny for sensitive attributes
# Consult Samba documentation for proper ACL configuration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
