The Samba-Bugzilla – Attachment 14033 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
proposed wiki text describing how to run the script
CVE-2018-1057-wiki.abartlet02.txt (text/plain), 4.58 KB, created by
Andrew Bartlett
on 2018-03-12 03:31:40 UTC
(
hide
)
Description:
proposed wiki text describing how to run the script
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-03-12 03:31:40 UTC
Size:
4.58 KB
patch
obsolete
>=CVE-2018-1057: Unprivileged user can change any user (and admin) password > >== Advisory == > >(link to the official advistory script) > >== Workarounds == > >=== Revoking change passwords rights === > >Revoke the change passwords right for 'the world' from all user objects (including >computers) in the directory, leaving only the right to change a user's own password. > >To do this, run the samba_CVE-2018-1057_helper tool. > >samba_CVE-2018-1057_helper --lock-pwchange > >Once CVE-2018-1057 is addressed, you can run > >samba_CVE-2018-1057_helper --unlock-pwchange > >To reverse the database edit. > >The schema is modified to ensure the same is done for new user accounts. > >====Script Options==== > > --no-schema Do not modify the schema > --filter Run on a subset of options (provide an ldap filter string) > --base The LDAP base to search from > --scope The LDAP scope to use (BASE will modify one DN only) > --dry-run Do a dry run and do not modify the directory > -H LDAP or LDB URL. By preference use a path to the local file as this will allow transactions > --configfile Path to the smb.conf > >====Implications==== > >Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being >able to change their own expired passwords using another account via these protocols. > >Therefore if non-windows clients are in use the maximum password age should be set to a value >that prevents user passwords from expiring while the workaround is in place. > > samba-tool domain passwordsettings set --max-pwd-age=365 > >This ACL controls password changes over LDAP and SAMR when the authenticated >connection is not the same as the user password being changed. > ># Kpasswd password changes are not affected, nor are machine account > password changes over NETLOGON. > ># Windows clients and sssd's ad provider all use Kerberos > for password changes so are '''not impacted.''' > ># pam_ldap only supports binding as the user changing their own password, so is > likewise '''not impacted.''' > ># Samba's winbindd binds as the machine account and so password changes from > '''pam_winbind are impacted.''' > >== Not Workarounds == > >Some other tecniques comes to mind but are not actually effective workarounds. > >=== An invalid password check script === > >In the smb.conf set > > '''check password script = /bin/false''' > >This will prevent user password changes. No database change is required so >this is very easy to reverse. > >==== Implications ==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive,''' they can also '''modify the domain or read passwords'''. > >=== Setting a minimum password length === > >If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, >short-term partial mitigation is setting a minimum password length: > >==== Show the existing settings:==== > > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 7 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > '''Create a pwsettings.ldif file with:''' > > dn: dc=addom,dc=samba,dc=example,dc=com > changetype: modify > replace: minPwdLength > minPwdLength: 2147483639 > - > >====Run this to set the 2GB min pw length. ==== > >This is protective as parts of Samba refuse to allocate more than 256MB at a time. > > '''# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif''' > Modified 1 records successfully > > This only needs to be done on one DC, it will replicate and disable password changes or resets. > > This shows it has been set: > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 2147483639 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > >====This shows how to undo it:==== > > bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf --min-pwd-length=7 > >====Implications==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive, ''' they can also '''modify the domain or read passwords''', with slightly more complex tools. > > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
|
14041
|
14042
|
14043
|
14044
|
14045
|
14047
|
14048