=CVE-2018-1057: Unprivileged user can change any user (and admin) password == Advisory == (link to the official advistory script) == Workarounds == === Revoking change passwords rights === Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password. To do this, run the samba_CVE-2018-1057_helper tool. samba_CVE-2018-1057_helper --lock-pwchange Once CVE-2018-1057 is addressed, you can run samba_CVE-2018-1057_helper --unlock-pwchange To reverse the database edit. The schema is modified to ensure the same is done for new user accounts. ====Script Options==== --no-schema Do not modify the schema --filter Run on a subset of options (provide an ldap filter string) --base The LDAP base to search from --scope The LDAP scope to use (BASE will modify one DN only) --dry-run Do a dry run and do not modify the directory -H LDAP or LDB URL. By preference use a path to the local file as this will allow transactions --configfile Path to the smb.conf ====Implications==== Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being able to change their own expired passwords using another account via these protocols. Therefore if non-windows clients are in use the maximum password age should be set to a value that prevents user passwords from expiring while the workaround is in place. samba-tool domain passwordsettings set --max-pwd-age=365 This ACL controls password changes over LDAP and SAMR when the authenticated connection is not the same as the user password being changed. # Kpasswd password changes are not affected, nor are machine account password changes over NETLOGON. # Windows clients and sssd's ad provider all use Kerberos for password changes so are '''not impacted.''' # pam_ldap only supports binding as the user changing their own password, so is likewise '''not impacted.''' # Samba's winbindd binds as the machine account and so password changes from '''pam_winbind are impacted.''' == Not Workarounds == Some other tecniques comes to mind but are not actually effective workarounds. === An invalid password check script === In the smb.conf set '''check password script = /bin/false''' This will prevent user password changes. No database change is required so this is very easy to reverse. ==== Implications ==== This '''only applies to user accounts''', including Administrator. However '''other accounts (DC accounts in particular) are are also sensitive,''' they can also '''modify the domain or read passwords'''. === Setting a minimum password length === If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, short-term partial mitigation is setting a minimum password length: ==== Show the existing settings:==== '''bin/samba-tool domain passwordsettings show''' Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 7 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 '''Create a pwsettings.ldif file with:''' dn: dc=addom,dc=samba,dc=example,dc=com changetype: modify replace: minPwdLength minPwdLength: 2147483639 - ====Run this to set the 2GB min pw length. ==== This is protective as parts of Samba refuse to allocate more than 256MB at a time. '''# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif''' Modified 1 records successfully This only needs to be done on one DC, it will replicate and disable password changes or resets. This shows it has been set: '''bin/samba-tool domain passwordsettings show''' Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' Password complexity: on Store plaintext passwords: off Password history length: 24 Minimum password length: 2147483639 Minimum password age (days): 1 Maximum password age (days): 42 Account lockout duration (mins): 30 Account lockout threshold (attempts): 0 Reset account lockout after (mins): 30 ====This shows how to undo it:==== bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf --min-pwd-length=7 ====Implications==== This '''only applies to user accounts''', including Administrator. However '''other accounts (DC accounts in particular) are are also sensitive, ''' they can also '''modify the domain or read passwords''', with slightly more complex tools.