The Samba-Bugzilla – Attachment 14041 Details for
Bug 13272
[SECURITY] CVE-2018-1057: Unprivileged user can change any user (and admin) password
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Wiki text containing link to advisory and helper script
CVE-2018-1057-wiki.abartlet05.txt (text/plain), 7.27 KB, created by
Andrew Bartlett
on 2018-03-13 08:39:26 UTC
(
hide
)
Description:
Wiki text containing link to advisory and helper script
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-03-13 08:39:26 UTC
Size:
7.27 KB
patch
obsolete
>=CVE-2018-1057: Unprivileged user can change any user (and admin) password= > >== Advisory == > >[https://www.samba.org/samba/security/CVE-2018-1057.html Advisory CVE-2018-1057] > >== FAQ == > >=== Does this impact the Samba3/NT4-like/classic domain controller?=== > >No, this only impacts on the Samba Active Directory DC. > >=== Does this impact on the RODC (if the full DC is not Samba)?=== > >No, password changes are rejected on the RODC. > >=== Does this impact Samba as a fileserver only?=== > >No, this only impacts on the Samba Active Directory DC. > >=== How can I confirm if my version is impacted?=== > >All released versions of Samba's AD DC and pre-release versions since >Samba 4.0.0alpha13 appear to have this flaw. > >=== Are patches for out-of-support Samba versions available? === > >Patches have been provided for Samba 4.5 and later versions. If you >run an older version then check if a contributed patch has been added >to [https://samba.org/samba/security Samba's security patch page]. > >=== While I prepare the update, how can I monitor my directory?=== > >The important attributes to watch are '''pwdLastSet''' and '''msDS-KeyVersionNumber''' > > ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber > >These values will change if a password is changed or reset. > >As Samba does not at this time change the machine account passwords of >Domain Controllers, any change to these, '''or to the passwords of >administrators''' should be a concern. > >The pwdLastSet can be printed using the '''samba.nttime2string''' function: > > python > >>> import samba > >>> print(samba.nttime2string(131653809731794980)) > Tue Mar 13 15:16:13 2018 NZDT > >=== Are any audit logs produced by the password reset? === > >No useful audit logs are produced when a password is reset. The audit >logging of password changes provided by Samba 4.7 is not triggered for >the same reason that the password reset is allowed. > >=== Is resetting any compromised accounts enough? === > >No, if those compromised accounts have privileges (domain controller >accounts or administrative accounts) then such accounts may already >have read all the domain's secrets. > >== Workarounds == > >=== Revoking change passwords rights === > >Revoke the change passwords right for 'the world' from all user objects (including >computers) in the directory, leaving only the right to change a user's own password. > >To do this, run the [https://download.samba.org/pub/samba/misc/samba_CVE-2018-1057_helper samba_CVE-2018-1057_helper] tool after running 'chmod +x samba_CVE-2018-1057_helper'. The helper script has been signed using GnuPG (ID 6F33915B6568B7EA). It's sufficient to run this helper script on one of the DCs, but it's also perfectly fine to run it on all DCs, in order to avoid replication latencies especially when sites are used. > >samba_CVE-2018-1057_helper --lock-pwchange > >Once CVE-2018-1057 is addressed, you can run > >samba_CVE-2018-1057_helper --unlock-pwchange > >To reverse the database edit. > >The schema is modified to ensure the same is done for new user accounts. > >====Script Options==== > > --no-schema Do not modify the schema > --filter Run on a subset of the database (provide an ldap filter string) > --base The LDAP base to search from > --scope The LDAP scope to use (BASE will modify one DN only) > --dry-run Do a dry run and do not modify the directory > -H LDAP or LDB URL. By preference please use a path to the local file as this will allow database transactions to be used > --configfile Path to the smb.conf > >====Implications==== > >Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being >able to change their own expired passwords using another account via these protocols. > >Therefore if non-windows clients are in use the maximum password age should be set to a value >that prevents user passwords from expiring while the workaround is in place. > > samba-tool domain passwordsettings set --max-pwd-age=365 > >This ACL controls password changes over LDAP and SAMR when the authenticated >connection is not the same as the user password being changed. > ># Kpasswd password changes are not affected, nor are machine account > password changes over NETLOGON. > ># Windows clients and sssd's ad provider all use Kerberos > for password changes so are '''not impacted.''' > ># pam_ldap only supports binding as the user changing their own password, so is > likewise '''not impacted.''' > ># Samba's winbindd binds as the machine account and so password changes from > '''pam_winbind are impacted.''' > >=== Disable LDAP === > >The LDAP listener is a can be disabled by adding: > > '''server services = -ldap''' > >to the '''smb.conf''' file and restarting Samba. > >==== Implications === > >As an alternative to a full shutdown, this will be acceptable for a >short time or in only a very few situations, LDAP is an important >component of an AD domain. > >== Not Workarounds == > >Some other tecniques comes to mind but are not actually effective workarounds. > >=== An invalid password check script === > >In the smb.conf set > > '''check password script = /bin/false''' > >This will prevent user password changes. No database change is required so >this is very easy to reverse. > >==== Implications ==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive,''' they can also '''modify the domain or read passwords'''. > >=== Setting a minimum password length === > >If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, >short-term partial mitigation is setting a minimum password length: > >==== Show the existing settings:==== > > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 7 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > '''Create a pwsettings.ldif file with:''' > > dn: dc=addom,dc=samba,dc=example,dc=com > changetype: modify > replace: minPwdLength > minPwdLength: 2147483639 > - > >====Run this to set the 2GB min pw length. ==== > >This is protective as parts of Samba refuse to allocate more than 256MB at a time. > > '''# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif''' > Modified 1 records successfully > > This only needs to be done on one DC, it will replicate and disable password changes or resets. > > This shows it has been set: > '''bin/samba-tool domain passwordsettings show''' > > Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com' > > Password complexity: on > Store plaintext passwords: off > Password history length: 24 > Minimum password length: 2147483639 > Minimum password age (days): 1 > Maximum password age (days): 42 > Account lockout duration (mins): 30 > Account lockout threshold (attempts): 0 > Reset account lockout after (mins): 30 > > >====This shows how to undo it:==== > > bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf --min-pwd-length=7 > >====Implications==== > >This '''only applies to user accounts''', including Administrator. > >However '''other accounts (DC accounts in particular) are are also sensitive, ''' they can also '''modify the domain or read passwords''', with slightly more complex tools. > > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 13272
:
13977
|
13978
|
14008
|
14009
|
14010
|
14011
|
14016
|
14028
|
14029
|
14030
|
14031
|
14032
|
14033
|
14034
|
14035
|
14036
|
14038
|
14039
|
14040
| 14041 |
14042
|
14043
|
14044
|
14045
|
14047
|
14048