Not logged in » Login
Mar 15 2018

Major Bug in Samba 4ff.: Authenticated Users May Change All Passwords

The developer team overseeing Samba – the free SMB/CIFS re-implementation used to allow file and print sharing between Windows- and Unix-based computers – has issued a grave security warning plus patches: It appears that from version 4.0.0 onwards, any authenticated users who is brazen enough can reset the passwords of every other user – including those of network administrators and maintenance staff.

The problem is further exacerbated by the fact that since the release of version 4.0.0 some 5+ years ago, Samba can also be used to serve as a domain controller in Active Directory environments. According to the vulnerability alert, which has been added to the CVE database under the moniker CVE-2018-1057, the bug functions as decribed below:

"On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (e.g. Domain Controllers)." More specifically, "[t]he LDAP server incorrectly validates certain LDAP password modifications against the 'Change Password' privilege, but then performs a password reset operation." This works because in Active Directory (AD) installations, the right to change passwords is a so-called extended object access right, which in turn grants this particular privilege to any authenticated user's own user object (aka "self") as well as to everyone ("world"). In short, a daring attacker can easily play around with and wreak havoc on a given AD authentication system, e.g. by cutting off domain members from their resources or siphoning off confidential information.

The good news here is that two major workarounds exist. Administrators can either revoke 'change password' privileges for the 'world' from all user objects by applying this helper script. This will prevent authenticated users from tampering with the passwords of other people's accounts, but maintains their right to change their own main credential. However, this may also deter users of non-Windows clients from changing expired passwords, which means that in these scenarios "the maximum password age should be set to a value that prevents user passwords from expiring while the workaround is in place" – for example, to 365 days. Alternatively, administrators may reconfigure their smb.conf files by adding the entry server services = -ldap before they restart Samba – this will disable the LDAP listener. The problem here is that this workaround should only be used in emergency cases and for a brief amount of time, as it will disrupt an essential part of the affected AD domain.

The Samba team urges users to install the freshly released patches for this vulnerability, which came out Tuesday and can be found here. Patches for older Samba versions (4.4.16 and 4.3.13) are available from the same address. In addition, the developers have launched Samba 4.7.6, 4.6.14 and 4.5.16 as so-called security releases.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now