Congratulations to Catalyst’s Andrew Bartlett, who was recently on the 2021 Q4 Security Reseacher Leader-board at Microsoft, for his work with Samba and Microsoft’s Active Directory.
Samba is an open source authentication and user management and interoperability suite for Linux and Unix servers. Samba does many things, but at Catalyst we are core developers on the feature that replaces Microsoft Active Directory in Windows environments. Sometimes the Samba team discovers oddities in testing: things that work in ways they shouldn’t.
While always working to be compatible, the Samba team also independently decides if something is secure and if it’s not then they report the issue to Microsoft.
The Samba team at Catalyst have an excellent relationship with Microsoft and can talk to their engineers about problems they discover, and then go in and patch it at the same time.
The issue Andrew found turned out to be a critical vulnerability in the Windows Kerberos protocol, where a normal account was enough to take over the whole domain. The only thing more serious would be if you didn’t need an account at all. The security issue was disclosed to Microsoft around May 2021, the teams both inside Microsoft and from around Samba spent about six months working hard to make sure it all came together.
Catalyst took on much of the effort to fix the issue in Samba and in turn Catalyst thanks Univention who helped pay for some of the work to fix this security issue.
A particularly important role was taken by Joseph Sutton, another Samba developer here at Catalyst, who built scripts that fully automated the exploitation of the issue, to ease reproduction, as well as following up with the automated testing of the fixes for the issues.
This isn’t the first issue Andrew has found in Windows: around six years ago Andrew found another issue with the machine account quota, which is a feature in the Active Directory that allows normal users to create accounts. Andrew found that you could create 10 machine accounts, which could then create 10 machine accounts, and so on. Ideally it shouldn’t be possible to create an account in central trusted database without being administrator but Microsoft’s Windows allowed it. Andrew reported this issue to Microsoft and then worked closely with Microsoft’s engineers to ensure the problem was fixed completely.
Likewise on this most recent issue, Andrew worked closely with Microsoft, and even with some of the same engineers, while he coordinated the work to ensure the fixes would be complete and compatible – so they didn’t end up fixing the problem differently.
The Catalyst Samba team has a very good ongoing relationship with Microsoft’s engineers and we will continue to work together when we find flaws.
The expert Catalyst Samba team provides industry-leading support and development services with a special focus on the Samba Active Directory Domain Controller. We use Samba to integrate our solutions with enterprise networks built on Microsoft's Windows to enable seamless interoperability.