CVE-2018-16857 - OpenCVE

Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Samba	Samba

Configuration 1 [-]

cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/bid/106024
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857
https://nvd.nist.gov/vuln/detail/CVE-2018-16857
https://security.gentoo.org/glsa/202003-52
https://security.netapp.com/advisory/ntap-20181127-0001/
https://www.cve.org/CVERecord?id=CVE-2018-16857
https://www.samba.org/samba/security/CVE-2018-16857.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2018-11-28T14:00:00

Updated: 2024-08-05T10:32:54.067Z

Reserved: 2018-09-11T00:00:00

Link: CVE-2018-16857

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-11-28T14:29:00.610

Modified: 2019-10-09T23:36:22.817

Link: CVE-2018-16857

Redhat

Severity : Moderate

Publid Date: 2018-11-20T00:00:00Z

Links: CVE-2018-16857 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "samba", "vendor": "[UNKNOWN]", "versions": [{"status": "affected", "version": "4.9.3"}]}], "datePublic": "2018-11-27T00:00:00", "descriptions": [{"lang": "en", "value": "Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "description": "CWE-358", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-25T18:06:06", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20181127-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857"}, {"name": "106024", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/106024"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.samba.org/samba/security/CVE-2018-16857.html"}, {"name": "GLSA-202003-52", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202003-52"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-16857", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "samba", "version": {"version_data": [{"version_value": "4.9.3"}]}}]}, "vendor_name": "[UNKNOWN]"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade."}]}, "impact": {"cvss": [[{"vectorString": "7.4/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-358"}]}]}, "references": {"reference_data": [{"name": "https://security.netapp.com/advisory/ntap-20181127-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20181127-0001/"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857"}, {"name": "106024", "refsource": "BID", "url": "http://www.securityfocus.com/bid/106024"}, {"name": "https://www.samba.org/samba/security/CVE-2018-16857.html", "refsource": "CONFIRM", "url": "https://www.samba.org/samba/security/CVE-2018-16857.html"}, {"name": "GLSA-202003-52", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202003-52"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T10:32:54.067Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20181127-0001/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857"}, {"name": "106024", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/106024"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.samba.org/samba/security/CVE-2018-16857.html"}, {"name": "GLSA-202003-52", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-52"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-16857", "datePublished": "2018-11-28T14:00:00", "dateReserved": "2018-09-11T00:00:00", "dateUpdated": "2024-08-05T10:32:54.067Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "6711DD48-1D71-4F14-A071-8A3F08D84162", "versionEndExcluding": "4.9.3", "versionStartIncluding": "4.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade."}, {"lang": "es", "value": "Samba, desde la versi\u00f3n 4.9.0 y antes de la versi\u00f3n 4.9.3, con las configuraciones AD DC buscando malas contrase\u00f1as (para restringir la adivinaci\u00f3n de contrase\u00f1as por fuerza bruta) durante m\u00e1s de 3 minutos podr\u00eda no buscar malas contrase\u00f1as en absoluto. El riesgo principal de este problema est\u00e1 relacionado con los dominios que se han actualizado desde Samba 4.8 y anteriores. En estos casos, las pruebas manuales realizadas para confirmar que las pol\u00edticas de contrase\u00f1a de una organizaci\u00f3n se aplican como deber\u00edan podr\u00edan no volver a realizarse tras la actualizaci\u00f3n."}], "id": "CVE-2018-16857", "lastModified": "2019-10-09T23:36:22.817", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2018-11-28T14:29:00.610", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/106024"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202003-52"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20181127-0001/"}, {"source": "secalert@redhat.com", "tags": ["Mitigation", "Vendor Advisory", "Patch"], "url": "https://www.samba.org/samba/security/CVE-2018-16857.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-358"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Isaac Boukris as the original reporter.", "bugzilla": {"description": "samba: Bad password count in AD DC not always effective", "id": "1649278", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1649278"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "draft"}, "cwe": "CWE-358", "details": ["Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.", "It was found that the 'bad password observation window' was ineffective when set to a value greater than 3 minutes. This could allow for brute force password attacks in some situations."], "mitigation": {"lang": "en:us", "value": "Bad password lockout is not configured by default, it is only\neffective if a threshold has been set with (eg):\nsamba-tool domain passwordsettings set --account-lockout-threshold=3\nTo mitigate the issue set a shorter 'Reset account lockout after'\nwindow (the ineffective default is 30, anything less than 15 will\nwork):\nsamba-tool domain passwordsettings set --reset-account-lockout-after=15\nNOTE: If a fine-grained password policy (PSO) is set, this must also\nbe done on each PSO."}, "name": "CVE-2018-16857", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "samba3x", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba4", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/o:redhat:rhev_hypervisor:4", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Virtualization 4"}], "public_date": "2018-11-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-16857\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-16857\nhttps://www.samba.org/samba/security/CVE-2018-16857.html"], "statement": "This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.", "threat_severity": "Moderate", "upstream_fix": "samba 4.9.3"}