CVE-2020-25720
📋 TL;DR
This Samba vulnerability allows delegated administrators with object creation permissions in Active Directory to modify security-sensitive attributes of newly created objects, even after creation. This occurs because the administrator retains 'creator owner' rights due to missing ACLs during object creation. Organizations using Samba with delegated administration in AD environments are affected.
💻 Affected Systems
- Samba
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Delegated administrators could escalate privileges by modifying security attributes like group memberships or access controls, potentially gaining domain administrator rights.
Likely Case
Delegated administrators unintentionally or intentionally modify sensitive object attributes beyond their intended permissions, leading to privilege creep or security misconfigurations.
If Mitigated
With proper monitoring and least privilege principles, impact is limited to audit trail of unauthorized modifications that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires delegated administrator privileges and knowledge of Active Directory object manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Samba 4.13.14, 4.14.9, 4.15.3 or later
Vendor Advisory: https://www.samba.org/samba/security/CVE-2020-25720.html
Restart Required: Yes
Instructions:
1. Backup Samba configuration and AD data. 2. Upgrade to patched Samba version. 3. Restart Samba services. 4. Verify ACL inheritance is working correctly on new objects.
🔧 Temporary Workarounds
Restrict delegated administration
allLimit object creation permissions to only essential administrators and implement strict monitoring of object modifications.
Implement ACL auditing
windowsEnable detailed auditing of object creation and modification events in Active Directory.
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
🧯 If You Can't Patch
- Implement strict monitoring of all object creation and modification events by delegated administrators
- Apply principle of least privilege - remove object creation permissions from delegated administrators where possible
🔍 How to Verify
Check if Vulnerable:
Check Samba version with 'samba --version' and compare against affected versions. Verify if running as AD DC with delegated administration.Check Version:
samba --versionVerify Fix Applied:
After patching, test creating objects as delegated administrator and verify ACLs are properly applied immediately after creation.📡 Detection & Monitoring
Log Indicators:
- Unusual object creation/modification events by delegated administrators
- Modifications to security-sensitive attributes shortly after object creation
Network Indicators:
- LDAP modify operations on newly created objects from delegated administrator accounts
SIEM Query:
source="samba" AND (event="object creation" OR event="object modification") AND user="delegated_admin_*"