The Samba-Bugzilla – Attachment 14016 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Proposed advisory text
CVE-2018-1057-advisory-v2.txt (text/plain), 4.05 KB, created by
Ralph Böhme
on 2018-03-02 16:46:54 UTC
(
hide
)
Description:
Proposed advisory text
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2018-03-02 16:46:54 UTC
Size:
4.05 KB
patch
obsolete
>==================================================================== >== Subject: Authenticated users can change other users password >== >== CVE ID#: CVE-2018-1057 >== >== Versions: All versions of Samba from 4.0.0 onwards. >== >== Summary: On a Samba 4 AD DC any authenticated user can change >== other users passwords over LDAP, including the >== passwords of administrative users. >== >==================================================================== > >=========== >Description >=========== > >On a Samba 4 AD DC the LDAP server in all versions of Samba from >4.0.0 onwards incorrectly validates permissions to modify passwords >over LDAP allowing authenticated users to change any other users >passwords, including administrative users. > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.7.x, 4.6.y and 4.5.z have been issued as >security releases to correct the defect. Patches against older Samba >versions may be available at https://samba.org/samba/patches/. Samba >vendors and administrators running affected versions are advised to >upgrade or apply the patch as soon as possible. > >========== >Workaround >========== > >Rewoke the change passwords right for everyone from all user objects (including >computers) in the directory. Note that this will prevent users from being able >to change their own expired passwords, so the maximum password age should be set >to a value that prevents user passwords from expiring while the workaround is in >place. > >The change password right in AD is an extended object access right with the GUID >ab721a53-1e2f-11d0-9819-00aa0040529b. By default every user and computer object >in the directory grants the change password right to self and everyone. > >The corresponding ACEs are > >self: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) >world: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) > >in SDDL. The components of these ACEs are > >OA: object access allowed >CR: extended rights >PS,WD: trustee: self, everyone > >Of these, the ACE granting the right to everyone (world, WD) must be removed. > >The ACL of any object in the Samba directory can be shown as SDDL with > ># ldbsearch -H /var/lib/samba/private/sam.ldb cn=USER ntSecurityDescriptor > >Alternatively, the ACL can be shown in NDR dump format by appending >"--show-binary": > ># ldbsearch -H /var/lib/samba/private/sam.ldb \ > cn=USER ntSecurityDescriptor --show-binary >... >aces: struct security_ace > type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) > flags : 0x00 (0) > 0: SEC_ACE_FLAG_OBJECT_INHERIT > 0: SEC_ACE_FLAG_CONTAINER_INHERIT > 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT > 0: SEC_ACE_FLAG_INHERIT_ONLY > 0: SEC_ACE_FLAG_INHERITED_ACE > 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) > 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS > 0: SEC_ACE_FLAG_FAILED_ACCESS > size : 0x0028 (40) > access_mask : 0x00000100 (256) > object : union security_ace_object_ctr(case 5) > object: struct security_ace_object > flags : 0x00000001 (1) > 1: SEC_ACE_OBJECT_TYPE_PRESENT > 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT > type : union security_ace_object_type(case 1) > type : ab721a53-1e2f-11d0-9819-00aa0040529b > inherited_type : union security_ace_object_inherited_type(case 0) > trustee : S-1-1-0 >... > >To temporarily remove this ACE you can use ldbedit: > ># ldbedit -H /var/lib/samba/private/sam.ldb cn=USER ntSecurityDescriptor > >This invokes the configured editor. In the editor search for the string > > (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) > >and remove it (be careful about line wraps). Saving and exiting the editor will >apply the change to the directory. > >======= >Credits >======= > >This problem was found by Björn Baumbach from Sernet. Ralph Böhme and >Stefan Metzmacher from SerNet and the Samba Team provided the fix.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14016">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
|
14041
|
14042
|
14043
|
14044
|
14045
|
14047
|
14048