Allele Security Alert
ASA-2018-00061
Identifier(s)
ASA-2018-00061, CVE-2018-16857
Title
Bad password count in AD DC not always effective
Vendor(s)
The Samba Project
Product(s)
Samba
Affected version(s)
Samba 4.9.0 and later
Fixed version(s)
Samba 4.9.3
Proof of concept
Unknown
Description
By default, Samba will remember bad passwords for 30min:
eg:
$ samba-tool domain passwordsettings show
…
Reset account lockout after (mins): 30
This is also known as the ‘bad password observation window’ and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object – PSO).
If this value is set to more than 3 minutes, bad password lockout may be ineffective.
If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting).
For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The ‘account lockout threshold’ will therefore not be hit, and the user would never get locked out.
Technical details
Unknown
Credits
Isaac Boukris
Reference(s)
Bad password count in AD DC not always effective
https://www.samba.org/samba/security/CVE-2018-16857.html
Bug 13683 – (CVE-2018-16857) [SECURITY] CVE-2018-16857 Bad password count not effective for default (30min) window
https://bugzilla.samba.org/show_bug.cgi?id=13683
[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html
CVE-2018-16857 tests: Sanity-check password lockout works with default values
https://github.com/samba-team/samba/commit/77de8278e4b467b66a477c09945a9bcc6b08b194
CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
https://github.com/samba-team/samba/commit/c7b937c5aae40483f2f37727758ed50877f17a5b
CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
https://github.com/samba-team/samba/commit/13014aea13a77f6a75ab948e2a29d814ebd9dd22
CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
https://github.com/samba-team/samba/commit/fde9f7c81b42419e71b2fc8c31d92db4a05176af
CVE-2018-16857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16857
CVE-2018-16857
https://nvd.nist.gov/vuln/detail/CVE-2018-16857
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019