Samba closes leak that lets users change passwords on AD domain controller

Samba has patched a vulnerability that would allow unprivileged logged in users to change the passwords of other users, including administrators. The vulnerability occurs if Samba is used as an Active Directory domain controller.

The vulnerability, attribute CVE-2018-1057, is related to the ldap server incorrectly validating permissions, according to the warning. The vulnerability is present from version 4.0.0alpha13 and is described in a special wiki article. Patches are available in the form of versions 4.7.6, 4.6.14 and 4.5.16. According to the Samba developers, the patch page also tells you if there are fixes for older versions of the software.

In addition, the wiki article describes several workarounds, such as revoking password change permissions from all user objects including computers for ‘the world’. To do this, a so-called helper tool has been created. The risk of the vulnerability is that an attacker could potentially gain access to an account with higher privileges by changing its password.

The vulnerability was discovered by the German SerNet, whose people are also developing Samba. The Samba team also warns of a second vulnerability, CVE-2018-1050, that allows a dos attack on a remote print server from version 4.0.0 of the software.

Samba is an open source implementation of the smb/cifs network protocol. This protocol is present in Windows and makes it possible to share files and printers over the network. Samba was created to facilitate interoperability with other operating systems such as Linux, Unix and BSD. This allows Linux servers, for example, to participate in an Active Directory and also act as domain controllers. This is possible since version 4.0.0.