Partial mitigations for the Nov Samba CVEs

Andrew Bartlett abartlet at
Mon Nov 22 04:28:10 UTC 2021

G'Day Debian Developers and potentially other folks packaging Samba.  

A number of distributions have rightly been reluctant, particularly
given my warnings, to backport what patches for our recent issues to
older versions.  While a monster patch was generated for Samba 4.10,
Samba 4.9 and earlier only support Python2 and the modern testsuite
validating these changes is written targeting Python 3.6.

Regardless I've put some thought into what would be the barest of
minimal steps to mitigate the worst of the Samba CVEs issued recently

In short, for the cases where a full backport is not possible, it would
be good to at least take these patches from

CVE-2020-25722 Ensure the structural objectclass cannot be changed

CVE-2020-25722 dsdb: Restrict the setting of privileged attributes
during LDAP add/modify

The "CVE-2020-25722 Ensure the structural objectclass cannot be
changed" patch is for the AD DC the bit that changes this from "any
user can become domain admin" (really horrible) to "semi-privileged
users become domain admin" (bad, but not horrible), and is quite
isolated in terms of backport conflicts. 

I would note that for CVE-2020-25717 [SECURITY] A user on the domain
can become root on domain members

Backports have been made to many, many versions.  This also includes
the patch:

CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or
That is very helpful on the AD DC for CVE-2020-25719, but there is
still much more to fix that issue if unprivileged users can create
other users.

I hope this helps,

Andrew Bartlett

Andrew Bartlett (he/him)
Samba Team Member (since 2001)
Samba Team Lead, Catalyst IT

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list