=========================================================== == Subject: CVE-2013-4496: Password lockout not enforced for SAMR password changes == == CVE ID#: CVE-2013-4496 == == Versions: All versions of Samba later than 3.4.0 == == Summary: In Samba's SAMR server we neglect to ensure that == attempted password changes will update the bad password == count, nor set the lockout flags. == This would allow a user unlimited attempts against the == password by simply calling ChangePasswordUser2 == repeatedly. == == This is available without any other authentication. == =========================================================== =========== Description =========== Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts. However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interfaces, allowing password guessing attacks. As this was found during an internal audit of the Samba code there are no currently known exploits for this problem (as of March 11th 2014). ======= Caveats ======= Most sites do not configure the bad password lockout feature. Typically it is only enabled when Samba is configured as a Domain Controller, so most file server deployments are not impacted. Additionally, for this feature to be effective Samba must be the sole source of authentication on the network. (Otherwise synchronised services such as an LDAP backend or the UNIX /etc/shadow file could be the weak point instead). This patch does not implement bad password lockout for the Active Directory Domain Controller. The bad password lockout feature is not implemented at all in that configuration. The Samba Team plans to address this deficiency as feature in a future release of the AD DC. The patch to remove the samr_ChangePasswordUser call is not strictly required, as this call is only available to administrators already able to reset passwords. We include it to avoid a future well-meaning patch that might restore it as a valid password-change mechanism. If used, it would also bypass restrictions on password complexity, history and any restriction defined via the 'unix passwd sync', 'pam password change' and 'ldap password sync' smb.conf options. ================== Patch Availability ================== Patches addressing all these issues have been posted to: http://www.samba.org/samba/security/ Samba versions 3.6.23, 4.0.16, and 4.1.6 have been released to address this issue. Patches for 3.4.17 and 3.5.22 have not been provided as these are now beyond our security support window. ========== Workaround ========== None. ======= Credits ======= This problem was found by an internal audit of the Samba code by Andrew Bartlett of Catalyst IT. Special thanks also go to Univention GmbH. Patches provided by Andrew Bartlett, Stefan Metzmacher of SerNet and Jeremy Allison of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================