====================================================================
== Subject:     Authenticated users can change other users password
==
== CVE ID#:     CVE-2018-1057
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     On a Samba 4 AD DC any authenticated user can change
==              other users passwords over LDAP, including the
==              passwords of administrative users.
==
====================================================================

===========
Description
===========

On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users
passwords, including administrative users.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.7.x, 4.6.y and 4.5.z have been issued as
security releases to correct the defect. Patches against older Samba
versions may be available at https://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Rewoke the change passwords right for everyone from all user objects
(including computers) in the directory. Note that this will prevent
users from being able to change their own expired passwords.

=======
Credits
=======

This problem was found by Björn Baumbach from Sernet. Ralph Böhme and
Stefan Metzmacher from SerNet and the Samba Team provided the fix.