Bad password count in AD DC not always effective

ID SAMBA:CVE-2018-16857
Type samba
Reporter Samba Security
Modified 2018-11-27T00:00:00



By default, Samba will remember bad passwords for 30min:

eg: $ samba-tool domain passwordsettings show ... Reset account lockout after (mins): 30

This is also known as the 'bad password observation window' and is configured in the lockOutObservationWindow attribute on the domain DN or in a fine-grained password policy (also known as a Password Settings Object - PSO).

If this value is set to more than 3 minutes, bad password lockout may be ineffective.

If the setting were 8-10 minutes or 15-16 minutes, Samba would still offer some bad password lockout protection, but would use a smaller observation window than configured (somewhere between 41 and 170 seconds, depending on the actual configured setting).

For all other configured observation windows over 3 minutes (including the default), bad password counting will not work. This will mean the badPwdCount attribute (which stores repeated bad password attempts) will never exceed 1. The 'account lockout threshold' will therefore not be hit, and the user would never get locked out.

The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (5.9)

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.9.3 has been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

Workaround and mitigation

Bad password lockout is not configured by default, it is only effective if a threshold has been set with (eg):

samba-tool domain passwordsettings set --account-lockout-threshold=3

To mitigate the issue set a shorter 'Reset account lockout after' window (the ineffective default is 30, anything less than 3 will work):

samba-tool domain passwordsettings set --reset-account-lockout-after=3

Note that this setting controls how long Samba remembers bad password attempts for, rather than how long the account is locked (which is controlled by --account-lockout-duration).

NOTE: If a fine-grained password policy (PSO) is set, this must also be done on each PSO.


Originally reported by Isaac Boukris

Patches provided by Tim Beale of Catalyst and the Samba team.

== Our Code, Our Bugs, Our Responsibility. == The Samba Team