ASA-2018-00061 – Samba: Bad password count in AD DC not always effective

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00061

Identifier(s)

ASA-2018-00061, CVE-2018-16857

Title

Bad password count in AD DC not always effective

Vendor(s)

The Samba Project

Product(s)

Samba

Affected version(s)

Samba 4.9.0 and later

Fixed version(s)

Samba 4.9.3

Proof of concept

Unknown

Description

By default, Samba will remember bad passwords for 30min:

eg:
$ samba-tool domain passwordsettings show

Reset account lockout after (mins): 30

This is also known as the ‘bad password observation window’ and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object – PSO).

If this value is set to more than 3 minutes, bad password lockout may be ineffective.

If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting).

For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The ‘account lockout threshold’ will therefore not be hit, and the user would never get locked out.

Technical details

Unknown

Credits

Isaac Boukris

Reference(s)

Bad password count in AD DC not always effective
https://www.samba.org/samba/security/CVE-2018-16857.html

Bug 13683 – (CVE-2018-16857) [SECURITY] CVE-2018-16857 Bad password count not effective for default (30min) window
https://bugzilla.samba.org/show_bug.cgi?id=13683

[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html

CVE-2018-16857 tests: Sanity-check password lockout works with default values
https://github.com/samba-team/samba/commit/77de8278e4b467b66a477c09945a9bcc6b08b194

CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int
https://github.com/samba-team/samba/commit/c7b937c5aae40483f2f37727758ed50877f17a5b

CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs
https://github.com/samba-team/samba/commit/13014aea13a77f6a75ab948e2a29d814ebd9dd22

CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow
https://github.com/samba-team/samba/commit/fde9f7c81b42419e71b2fc8c31d92db4a05176af

CVE-2018-16857
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16857

CVE-2018-16857
https://nvd.nist.gov/vuln/detail/CVE-2018-16857

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.