The Samba-Bugzilla – Attachment 14654 Details for
Bug 13683
[SECURITY] CVE-2018-16857 Bad password count not effective for default (30min) window
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory with CVE (v3)
ad-dc-pwd-lockout_advisory.txt (text/plain), 3.28 KB, created by
Andrew Bartlett
on 2018-11-13 17:44:07 UTC
(
hide
)
Description:
advisory with CVE (v3)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-11-13 17:44:07 UTC
Size:
3.28 KB
patch
obsolete
>================================================================ >== Subject: Bad password count in AD DC not always effective >== >== CVE ID#: CVE-2018-16857 >== >== Versions: Samba 4.9.0 and later >== >== Summary: AD DC Configurations watching for bad passwords > (to restrict brute forcing of passwords) > in a window of more than 3 minutes may > not watch for bad passwords at all. >================================================================ > >=========== >Description >=========== > >By default, Samba will remember bad passwords for 30min: > >eg: >$ samba-tool domain passwordsettings show >... >Reset account lockout after (mins): 30 > >This is also known as the 'bad password observation window' and is >configured in the lockOutObservationWindow attribute on the domain DN >or in a fine-grained password policy (also known as a Password >Settings Object - PSO). > >If this value is set to more than 3 minutes, bad password lockout >may be ineffective. > >If the setting were 8-10 minutes or 15-16 minutes, Samba would still >offer some bad password lockout protection, but would use a smaller >observation window than configured (somewhere between 41 and 170 seconds, >depending on the actual configured setting). > >For all other configured observation windows over 3 minutes (including >the default), bad password counting will not work. This will mean the >badPwdCount attribute (which stores repeated bad password attempts) >will never exceed 1. The 'account lockout threshold' will therefore >not be hit, and the user would never get locked out. > >The primary risk from this issue is with regards to domains that have >been upgraded from Samba 4.8 and earlier. In these cases the manual >testing done to confirm an organisation's password policies apply as >expected may not have been re-done after the upgrade. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.9.3 has been issued as security releases to >correct the defect. Samba administrators are advised to upgrade to >these releases or apply the patch as soon as possible. > >========================= >Workaround and mitigation >========================= > >Bad password lockout is not configured by default, it is only >effective if a threshold has been set with (eg): > >samba-tool domain passwordsettings set --account-lockout-threshold=3 > >To mitigate the issue set a shorter 'Reset account lockout after' >window (the ineffective default is 30, anything less than 3 will >work): > >samba-tool domain passwordsettings set --reset-account-lockout-after=3 > >Note that this setting controls how long Samba remembers bad >password attempts for, rather than how long the account is locked >(which is controlled by --account-lockout-duration). > >NOTE: If a fine-grained password policy (PSO) is set, this must also >be done on each PSO. > >======= >Credits >======= > >Originally reported by Isaac Boukris > >Patches provided by Tim Beale of Catalyst and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
timbeale
:
review+
abartlet
:
review+
Actions:
View
Attachments on
bug 13683
:
14644
|
14645
|
14646
|
14647
|
14654
|
14655
|
14656
|
14657
|
14686