Samba SecuritySAMBA:CVE-2013-4496CVE-2013-4496: Password lockout not enforced for SAMR password changes
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
79.3%
Description
Samba versions 3.4.0 and above allow the administrator to implement
locking out Samba accounts after a number of bad password attempts.
However, all released versions of Samba did not implement this check for
password changes, such as are available over multiple SAMR and RAP
interfaces, allowing password guessing attacks.
As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of March 11th 2014).
Caveats
Most sites do not configure the bad password lockout feature. Typically
it is only enabled when Samba is configured as a Domain Controller, so
most file server deployments are not impacted.
Additionally, for this feature to be effective Samba must be the sole
source of authentication on the network. (Otherwise synchronised
services such as an LDAP backend or the UNIX /etc/shadow file could be
the weak point instead).
This patch does not implement bad password lockout for the Active
Directory Domain Controller. The bad password lockout feature is not
implemented at all in that configuration. The Samba Team plans to
address this deficiency as feature in a future release of the AD DC.
The patch to remove the samr_ChangePasswordUser call is not strictly
required, as this call is only available to administrators already able
to reset passwords. We include it to avoid a future well-meaning patch
that might restore it as a valid password-change mechanism. If used, it
would also bypass restrictions on password complexity, history and any
restriction defined via the ‘unix passwd sync’, ‘pam password change’
and ‘ldap password sync’ smb.conf options.
Patch Availability
Patches addressing all these issues have been posted to:
http://www.samba.org/samba/security/
Samba versions 3.6.23, 4.0.16, and 4.1.6 have been released to
address this issue. Patches for 3.4.17 and 3.5.22 have not been
provided as these are now beyond our security support window.
Workaround
None.
Credits
This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Catalyst IT. Special thanks also go to Univention GmbH.
Patches provided by Andrew Bartlett, Stefan Metzmacher of SerNet and Jeremy Allison of the Samba
team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.006 Low
EPSS
Percentile
79.3%