=CVE-2018-1057: Unprivileged user can change any user (and admin) password

== Advisory ==

[https://www.samba.org/samba/security/CVE-2018-1057.html Advisory CVE-2018-1057]

== FAQ ==

=== Does this impact the Samba3/NT4-like/classic domain controller?===

No, this only impacts on the Samba Active Directory DC.

=== Does this impact on the RODC (if the full DC is not Samba)?===

No, password changes are rejected on the RODC.

=== Does this impact Samba as a fileserver only?===

No, this only impacts on the Samba Active Directory DC.

=== How can I confirm if my version is impacted?===

All released versions of Samba's AD DC and pre-release versions since
Samba 4.0.0alpha13 appear to have this flaw.

=== Are patches for out-of-support Samba versions available? ===

Patches have been provided for Samba 4.5 and later versions.  If you
run an older version then check if a contributed patch has been added
to [https://samba.org/samba/security Samba's security patch page].

=== While I prepare the update, how can I monitor my directory?===

The important attributes to watch are '''pwdLastSet''' and '''msDS-KeyVersionNumber'''

 ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber

These values will change if a password is changed or reset.

As Samba does not at this time change the machine account passwords of
Domain Controllers, any change to these, '''or to the passwords of
administrators''' should be a concern.

The pwdLastSet can be printed using the '''samba.nttime2string''' function:

 python
 >>> import samba
 >>> print(samba.nttime2string(131653809731794980))
 Tue Mar 13 15:16:13 2018 NZDT

=== Are any audit logs produced by the password reset? ===

No useful audit logs are produced when a password is reset.  The audit
logging of password changes provided by Samba 4.7 is not triggered for
the same reason that the password reset is allowed.

=== Is resetting any compromised accounts enough? ===

No, if those compromised accounts have privileges (domain controller
accounts or administrative accounts) then such accounts may already
have read all the domain's secrets.

== Workarounds ==

=== Revoking change passwords rights ===

Revoke the change passwords right for 'the world' from all user objects (including
computers) in the directory, leaving only the right to change a user's own password.

To do this, run the [https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper samba_CVE-2018-1057_helper] tool after running 'chmod +x samba_CVE-2018-1057_helper'. The helper script has been signed using GnuPG (ID 6F33915B6568B7EA). It's sufficient to run this helper script on one of the DCs, but it's also perfectly fine to run it on all DCs, in order to avoid replication latencies especially when sites are used.

samba_CVE-2018-1057_helper --lock-pwchange

Once CVE-2018-1057 is addressed, you can run 

samba_CVE-2018-1057_helper --unlock-pwchange

To reverse the database edit.

The schema is modified to ensure the same is done for new user accounts. 

====Script Options====

 --no-schema Do not modify the schema
 --filter Run on a subset of options (provide an ldap filter string)
 --base The LDAP base to search from
 --scope The LDAP scope to use (BASE will modify one DN only)
 --dry-run Do a dry run and do not modify the directory
 -H LDAP or LDB URL.  By preference use a path to the local file as this will allow transactions
 --configfile Path to the smb.conf

====Implications====

Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being 
able to change their own expired passwords using another account via these protocols.  

Therefore if non-windows clients are in use the maximum password age should be set to a value 
that prevents user passwords from expiring while the workaround is in place.

 samba-tool domain passwordsettings set --max-pwd-age=365

This ACL controls password changes over LDAP and SAMR when the authenticated 
connection is not the same as the user password being changed.

# Kpasswd password changes are not affected, nor are machine account 
  password changes over NETLOGON.

# Windows clients and sssd's ad provider all use Kerberos
  for password changes so are '''not impacted.'''

# pam_ldap only supports binding as the user changing their own password, so is 
  likewise '''not impacted.'''

# Samba's winbindd binds as the machine account and so password changes from 
  '''pam_winbind are impacted.'''

=== Disable LDAP ===

The LDAP listener is a can be disabled by adding:

 '''server services = -ldap'''

to the '''smb.conf''' file and restarting Samba.

==== Implications ===

As an alternative to a full shutdown, this will be acceptable for a
short time or in only a very few situations, LDAP is an important
component of an AD domain.

== Not Workarounds ==

Some other tecniques comes to mind but are not actually effective workarounds. 

=== An invalid password check script ===

In the smb.conf set

 '''check password script = /bin/false'''

This will prevent user password changes.  No database change is required so 
this is very easy to reverse.

==== Implications ====

This '''only applies to user accounts''', including Administrator.  

However '''other accounts (DC accounts in particular) are are also sensitive,''' they can also '''modify the domain or read passwords'''. 

=== Setting a minimum password length ===

If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, 
short-term partial mitigation is setting a minimum password length:

==== Show the existing settings:====

 '''bin/samba-tool domain passwordsettings show'''

 Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com'

 Password complexity: on
 Store plaintext passwords: off
 Password history length: 24
 Minimum password length: 7
 Minimum password age (days): 1
 Maximum password age (days): 42
 Account lockout duration (mins): 30
 Account lockout threshold (attempts): 0
 Reset account lockout after (mins): 30

 '''Create a pwsettings.ldif file with:'''

 dn: dc=addom,dc=samba,dc=example,dc=com
 changetype: modify
 replace: minPwdLength
 minPwdLength: 2147483639
 -

====Run this to set the 2GB min pw length. ====

This is protective as parts of Samba refuse to allocate more than 256MB at a time.

 '''# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif'''
 Modified 1 records successfully

 This only needs to be done on one DC, it will replicate and disable password changes or resets.

 This shows it has been set:
 '''bin/samba-tool domain passwordsettings show'''

 Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com'

 Password complexity: on
 Store plaintext passwords: off
 Password history length: 24
 Minimum password length: 2147483639
 Minimum password age (days): 1
 Maximum password age (days): 42
 Account lockout duration (mins): 30
 Account lockout threshold (attempts): 0
 Reset account lockout after (mins): 30


====This shows how to undo it:====

 bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf  --min-pwd-length=7

====Implications====

This '''only applies to user accounts''', including Administrator.  

However '''other accounts (DC accounts in particular) are are also sensitive, ''' they can also '''modify the domain or read passwords''', with slightly more complex tools.