Login Sign Up

CVE-2020-25719

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability in Samba's Active Directory Domain Controller allows attackers to bypass Kerberos authentication by exploiting confusion about user identity when Kerberos PAC (Privilege Attribute Certificate) validation isn't strictly enforced. Attackers could impersonate any domain user, potentially leading to domain compromise. This affects organizations running Samba as an AD DC.

💻 Affected Systems

Products:
  • Samba
Versions: All versions before 4.13.17, 4.14.12, and 4.15.5
Operating Systems: Linux, Unix-like systems running Samba AD DC
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Samba installations configured as Active Directory Domain Controllers. File server-only configurations are not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux Desktop by Redhat

View all CVEs affecting Enterprise Linux Desktop →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux Eus by Redhat

View all CVEs affecting Enterprise Linux Eus →

Enterprise Linux For Ibm Z Systems by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems →

Enterprise Linux For Ibm Z Systems by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems →

Enterprise Linux For Ibm Z Systems Eus by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →

Enterprise Linux For Ibm Z Systems Eus by Redhat

View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →

Enterprise Linux For Power Big Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Big Endian →

Enterprise Linux For Power Little Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian →

Enterprise Linux For Power Little Endian by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian →

Enterprise Linux For Power Little Endian Eus by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian Eus →

Enterprise Linux For Power Little Endian Eus by Redhat

View all CVEs affecting Enterprise Linux For Power Little Endian Eus →

Enterprise Linux For Scientific Computing by Redhat

View all CVEs affecting Enterprise Linux For Scientific Computing →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Aus by Redhat

View all CVEs affecting Enterprise Linux Server Aus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

Enterprise Linux Workstation by Redhat

View all CVEs affecting Enterprise Linux Workstation →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Samba by Samba

View all CVEs affecting Samba →

Samba by Samba

View all CVEs affecting Samba →

Samba by Samba

View all CVEs affecting Samba →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Total domain compromise where attackers gain administrative privileges over the entire Active Directory domain, allowing them to create/delete users, modify permissions, and access all domain resources.

🟠

Likely Case

Privilege escalation where attackers gain unauthorized access to sensitive resources by impersonating legitimate domain users with higher privileges.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, where unauthorized access attempts are detected and contained before significant damage occurs.

🌐 Internet-Facing: MEDIUM - While Samba AD DCs are typically internal, misconfigurations or DMZ deployments could expose them, but exploitation requires Kerberos access.
🏢 Internal Only: HIGH - This is primarily an internal threat where attackers with network access can exploit the vulnerability to move laterally and escalate privileges within the domain.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires existing network access and ability to interact with Kerberos authentication. Proof-of-concept code has been published in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Samba 4.13.17, 4.14.12, 4.15.5 or later

Vendor Advisory: https://www.samba.org/samba/security/CVE-2020-25719.html

Restart Required: Yes

Instructions:

1. Backup current Samba configuration. 2. Update Samba to patched version using your distribution's package manager. 3. Restart Samba services: 'systemctl restart samba' or equivalent. 4. Verify the update with 'smbd -V'.

🔧 Temporary Workarounds

Enforce PAC Validation

linux

Configure Samba to strictly require Kerberos PAC validation for all authentication requests

Add 'require PAC = yes' to [global] section of smb.conf

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Samba AD DCs from untrusted networks
  • Enable detailed Kerberos authentication logging and monitor for suspicious authentication patterns

🔍 How to Verify

Check if Vulnerable:

Run 'smbd -V' and check if version is below 4.13.17, 4.14.12, or 4.15.5. Also verify Samba is configured as AD DC with 'samba-tool domain info'.

Check Version:

smbd -V

Verify Fix Applied:

After patching, verify version with 'smbd -V' shows patched version. Test authentication with various users to ensure proper PAC validation.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Kerberos authentication patterns
  • Authentication attempts without proper PAC validation
  • Multiple failed authentication attempts followed by successful access

Network Indicators:

  • Unusual Kerberos ticket requests from unexpected sources
  • Authentication traffic patterns inconsistent with normal user behavior

SIEM Query:

source="samba" AND (event="authentication" OR event="kerberos") AND (status="success" AND pac_validation="missing")

📊 Metadata

CVE ID: CVE-2020-25719
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: February 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25719, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)