The Samba-Bugzilla – Attachment 14644 Details for
Bug 13683
[SECURITY] CVE-2018-16857 Bad password count not effective for default (30min) window
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
draft advisory
ad-dc-pwd-lockout_advisory.txt (text/plain), 2.68 KB, created by
Andrew Bartlett
on 2018-11-12 22:51:00 UTC
(
hide
)
Description:
draft advisory
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-11-12 22:51:00 UTC
Size:
2.68 KB
patch
obsolete
>================================================================ >== Subject: Bad password count in AD DC not always effective >== >== CVE ID#: >== >== Versions: Samba 4.9.0 and later >== >== Summary: AD DC Configurations watching for bad passwords > (to restrict brute forcing of passwords) > in a window of more than 15 minutes will > instead not watch for bad passwords at all. >================================================================ > >=========== >Description >=========== > >By default, Samba will remember bad passwords for 30min: > >eg: >$ samba-tool domain passwordsettings show >... >Reset account lockout after (mins): 30 > >This is also known as the 'bad password observation window' and is >configured in the lockOutObservationWindow attribute on the domain DN >or in a fine-grained password policy (also known as a Password >Settings Object - PSO) > >If this value is set to more than 15mins, the effective value to the >Samba code counting bad passwords is 0, meaning no bad passwords are >counted in the badPwdCount attribute (it remains at 1). > >In such situations, bad password lockout would be ineffective. > >The primary risk from this issue is with regards to domains that have >been upgraded from Samba 4.8 and earlier. In these cases the manual >testing done to confirm an organisation's password policies apply as >expected may not have been re-done after the upgrade. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.9.3 has been issued as security releases to >correct the defect. Samba administrators are advised to upgrade to >these releases or apply the patch as soon as possible. > >========================= >Workaround and mitigation >========================= > >Bad password lockout is not configured by default, it is only >effective if a threshold has been set with (eg): > >samba-tool domain passwordsettings set --account-lockout-threshold=3 > >To mitigate the issue set a shorter 'Reset account lockout after' >window (the ineffective default is 30, anything less than 15 will >work): > >samba-tool domain passwordsettings set --reset-account-lockout-after=15 > >NOTE: If a fine-grained password policy (PSO) is set, this must also >be done on each PSO. > >======= >Credits >======= > >Originally reported by Isaac Boukris > >Patches provided by Tim Beale of Catalyst and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14644">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13683
:
14644
|
14645
|
14646
|
14647
|
14654
|
14655
|
14656
|
14657
|
14686