The Samba-Bugzilla – Attachment 14036 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Improved wiki text
CVE-2018-1057-wiki.abartlet03.txt (text/plain), 6.83 KB, created by
Andrew Bartlett
on 2018-03-13 03:45:44 UTC
(
hide
)
Description:
Improved wiki text
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-03-13 03:45:44 UTC
Size:
6.83 KB
patch
obsolete
>=CVE-2018-1057: Unprivileged user can change any user (and admin) password > >== Advisory == > >(link to the official advistory text) > >== FAQ == > >=== Does this impact the Samba3/NT4-like/classic domain controller?=== > >No, this only impacts on the Samba Active Directory DC. > >=== Does this impact on the RODC (if the full DC is not Samba)?=== > >No, password changes are rejected on the RODC. > >=== Does this impact Samba as a fileserver only?=== > >No, this only impacts on the Samba Active Directory DC. > >=== How can I confirm if my version is impacted?=== > >All released versions of Samba's AD DC and pre-release versions since >Samba 4.0.0alpha13 appear to have this flaw. > >=== Are patches for out-of-support Samba versions available? === > >Patches have been provided for Samba 4.5 and later versions. If you >run an older version then check if a contributed patch has been added >to [https://samba.org/samba/security Samba's security patch page]. > >=== While I prepare the update, how can I monitor my directory?=== > >The important attributes to watch are '''pwdLastSet''' and '''msDS-KeyVersionNumber''' > > ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber > >These values will change if a password is changed or reset. > >As Samba does not at this time change the machine account passwords of >Domain Controllers, any change to these, '''or to the passwords of >administrators''' should be a concern. > >The pwdLastSet can be printed using the '''samba.nttime2string''' function: > > python > >>> import samba > >>> print(samba.nttime2string(131653809731794980)) > Tue Mar 13 15:16:13 2018 NZDT > >=== Are any audit logs produced by the password reset? === > >No useful audit logs are produced when a password is reset. The audit >logging of password changes provided by Samba 4.7 is not triggered for >the same reason that the password reset is allowed. > >=== Is resetting any compromised accounts enough? === > >No, if those compromised accounts have privileges (domain controller >accounts or administrative accounts) then such accounts may already >have read all the domain's secrets. > >== Workarounds == > >=== Revoking change passwords rights === > >Revoke the change passwords right for 'the world' from all user objects (including >computers) in the directory, leaving only the right to change a user's own password. > >To do this, run the samba_CVE-2018-1057_helper tool. > >samba_CVE-2018-1057_helper --lock-pwchange > >Once CVE-2018-1057 is addressed, you can run > >samba_CVE-2018-1057_helper --unlock-pwchange > >To reverse the database edit. > >The schema is modified to ensure the same is done for new user accounts. > >====Script Options==== > > --no-schema Do not modify the schema > --filter Run on a subset of options (provide an ldap filter string) > --base The LDAP base to search from > --scope The LDAP scope to use (BASE will modify one DN only) > --dry-run Do a dry run and do not modify the directory > -H LDAP or LDB URL. By preference use a path to the local file as this will allow transactions > --configfile Path to the smb.conf > >====Implications==== > >Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being >able to change their own expired passwords using another account via these protocols. > >Therefore if non-windows clients are in use the maximum password age should be set to a value >that prevents user passwords from expiring while the workaround is in place. > > samba-tool domain passwordsettings set --max-pwd-age=365 > >This ACL controls password changes over LDAP and SAMR when the authenticated >connection is not the same as the user password being changed. > ># Kpasswd password changes are not affected, nor are machine account > password changes over NETLOGON. > ># Windows clients and sssd's ad provider all use Kerberos > for password changes so are '''not impacted.''' > ># pam_ldap only supports binding as the user changing their own password, so is > likewise '''not impacted.''' > ># Samba's winbindd binds as the machine account and so password changes from > '''pam_winbind are impacted.''' > >=== Disable LDAP === > >The LDAP listener is a can be disabled by adding: > > '''server services = -ldap''' > >to the '''smb.conf''' file and restarting Samba. > >==== Implications === > >As an alternative to a full shutdown, this will be acceptable for a >short time or in only a very few situations, LDAP is an important >component of an AD domain. > >== Not Workarounds == > >Some other tecniques comes to mind but are not actually effective workarounds. > >=== An invalid password check script === > >In the smb.conf set > > '''check password script = /bin/false''' > >This will prevent user password changes. No database change is required so >this is very easy to reverse. > >==== Implications ==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive,''' they can also '''modify the domain or read passwords'''. > >=== Setting a minimum password length === > >If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, >short-term partial mitigation is setting a minimum password length: > >==== Show the existing settings:==== > > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 7 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > '''Create a pwsettings.ldif file with:''' > > dn: dc=addom,dc=samba,dc=example,dc=com > changetype: modify > replace: minPwdLength > minPwdLength: 2147483639 > - > >====Run this to set the 2GB min pw length. ==== > >This is protective as parts of Samba refuse to allocate more than 256MB at a time. > > '''# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif''' > Modified 1 records successfully > > This only needs to be done on one DC, it will replicate and disable password changes or resets. > > This shows it has been set: > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 2147483639 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > >====This shows how to undo it:==== > > bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf --min-pwd-length=7 > >====Implications==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive, ''' they can also '''modify the domain or read passwords''', with slightly more complex tools. > > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
|
14041
|
14042
|
14043
|
14044
|
14045
|
14047
|
14048