1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2018-16857.html:</H2>
15 ================================================================
16 == Subject: Bad password count in AD DC not always effective
18 == CVE ID#: CVE-2018-16857
20 == Versions: Samba 4.9.0 and later
22 == Summary: AD DC Configurations watching for bad passwords
23 (to restrict brute forcing of passwords)
24 in a window of more than 3 minutes may
25 not watch for bad passwords at all.
26 ================================================================
32 By default, Samba will remember bad passwords for 30min:
35 $ samba-tool domain passwordsettings show
37 Reset account lockout after (mins): 30
39 This is also known as the 'bad password observation window' and is
40 configured in the lockOutObservationWindow attribute on the domain DN
41 or in a fine-grained password policy (also known as a Password
42 Settings Object - PSO).
44 If this value is set to more than 3 minutes, bad password lockout
47 If the setting were 8-10 minutes or 15-16 minutes, Samba would still
48 offer some bad password lockout protection, but would use a smaller
49 observation window than configured (somewhere between 41 and 170 seconds,
50 depending on the actual configured setting).
52 For all other configured observation windows over 3 minutes (including
53 the default), bad password counting will not work. This will mean the
54 badPwdCount attribute (which stores repeated bad password attempts)
55 will never exceed 1. The 'account lockout threshold' will therefore
56 not be hit, and the user would never get locked out.
58 The primary risk from this issue is with regards to domains that have
59 been upgraded from Samba 4.8 and earlier. In these cases the manual
60 testing done to confirm an organisation's password policies apply as
61 expected may not have been re-done after the upgrade.
67 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (5.9)
73 Patches addressing both these issues have been posted to:
75 http://www.samba.org/samba/security/
77 Additionally, Samba 4.9.3 has been issued as security releases to
78 correct the defect. Samba administrators are advised to upgrade to
79 these releases or apply the patch as soon as possible.
81 =========================
82 Workaround and mitigation
83 =========================
85 Bad password lockout is not configured by default, it is only
86 effective if a threshold has been set with (eg):
88 samba-tool domain passwordsettings set --account-lockout-threshold=3
90 To mitigate the issue set a shorter 'Reset account lockout after'
91 window (the ineffective default is 30, anything less than 3 will
94 samba-tool domain passwordsettings set --reset-account-lockout-after=3
96 Note that this setting controls how long Samba remembers bad
97 password attempts for, rather than how long the account is locked
98 (which is controlled by --account-lockout-duration).
100 NOTE: If a fine-grained password policy (PSO) is set, this must also
107 Originally reported by Isaac Boukris
109 Patches provided by Tim Beale of Catalyst and the Samba team.
111 ==========================================================
112 == Our Code, Our Bugs, Our Responsibility.
114 ==========================================================