Bug 1649278 (CVE-2018-16857)

Summary: CVE-2018-16857 samba: Bad password count in AD DC not always effective
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, abokovoy, anoopcs, asn, bmcclain, dbaker, dblechte, dfediuck, eedri, gdeschner, jarrpa, jokerman, jstephen, lmohanty, madam, mgoldboi, michal.skrivanek, rhs-smb, sankarshan, sbonazzo, sbose, security-response-team, sherold, sisharma, smohan, ssaha, ssorce, sthangav, trankin, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.9.3 Doc Type: If docs needed, set a value
Doc Text:
It was found that the 'bad password observation window' was ineffective when set to a value greater than 3 minutes. This could allow for brute force password attacks in some situations.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-28 07:40:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1654095    
Bug Blocks:    

Description Andrej Nemec 2018-11-13 10:12:08 UTC 
A vulnerability was found in the AD DC Configurations of Samba 4.9.0 and later. Watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 15 minutes instead doesn't watch for bad passwords at all.
Comment 2 Andrej Nemec 2018-11-13 10:14:18 UTC 
Mitigation:

Bad password lockout is not configured by default, it is only
effective if a threshold has been set with (eg):

samba-tool domain passwordsettings set --account-lockout-threshold=3

To mitigate the issue set a shorter 'Reset account lockout after'
window (the ineffective default is 30, anything less than 15 will
work):

samba-tool domain passwordsettings set --reset-account-lockout-after=15

NOTE: If a fine-grained password policy (PSO) is set, this must also
be done on each PSO.
Comment 3 Sam Fowler 2018-11-28 03:04:33 UTC 
External Reference:

https://www.samba.org/samba/security/CVE-2018-16857.html
Comment 4 Sam Fowler 2018-11-28 03:04:56 UTC 
Acknowledgments:

Name: the Samba project
Upstream: Isaac Boukris
Comment 5 Sam Fowler 2018-11-28 03:05:25 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1654095]
Comment 6 Huzaifa S. Sidhpurwala 2018-11-28 07:40:52 UTC 
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.