CVE-2018-1057

From SambaWiki
Revision as of 11:00, 14 March 2018 by Metze (talk | contribs) (Updated samba_CVE-2018-1057_helper)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

CVE-2018-1057: Unprivileged user can change any user (and admin) password

Advisory

Advisory CVE-2018-1057

FAQ

Does this impact the Samba3/NT4-like/classic domain controller?

No, this only impacts on the Samba Active Directory DC.

Does this impact on the RODC (if the full DC is not Samba)?

No, password changes are rejected on the RODC.

Does this impact Samba as a fileserver only?

No, this only impacts on the Samba Active Directory DC.

How can I confirm if my version is impacted?

All released versions of Samba's AD DC and pre-release versions since Samba 4.0.0alpha13 appear to have this flaw.

Are patches for out-of-support Samba versions available?

Patches have been provided for Samba 4.5 and later versions. If you run an older version then check if a contributed patch has been added to Samba's security patch page.

While I prepare the update, how can I monitor my directory?

The important attributes to watch are pwdLastSet and msDS-KeyVersionNumber

ldbsearch -H /usr/local/samba/private/sam.ldb objectclass=user pwdLastSet msDS-KeyVersionNumber

These values will change if a password is changed or reset.

As Samba does not at this time change the machine account passwords of Domain Controllers, any change to these, or to the passwords of administrators should be a concern.

The pwdLastSet can be printed using the samba.nttime2string function:

python
>>> import samba
>>> print(samba.nttime2string(131653809731794980))
Tue Mar 13 15:16:13 2018 NZDT

Are any audit logs produced by the password reset?

No useful audit logs are produced when a password is reset. The audit logging of password changes provided by Samba 4.7 is not triggered for the same reason that the password reset is allowed.

Is resetting any compromised accounts enough?

No, if those compromised accounts have privileges (domain controller accounts or administrative accounts) then such accounts may already have read all the domain's secrets.

Workarounds

Revoking change passwords rights

Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password.

To do this, run the samba_CVE-2018-1057_helper(updated to also work with Samba versions < 4.7) tool after running 'chmod +x samba_CVE-2018-1057_helper'. The helper script has been signed using GnuPG (ID 6F33915B6568B7EA). It's sufficient to run this helper script on one of the DCs, but it's also perfectly fine to run it on all DCs, in order to avoid replication latencies especially when sites are used.

samba_CVE-2018-1057_helper --lock-pwchange

Once CVE-2018-1057 is addressed, you can run

samba_CVE-2018-1057_helper --unlock-pwchange

To reverse the database edit.

The schema is modified to ensure the same is done for new user accounts.

Script Options

--no-schema Do not modify the schema
--filter Run on a subset of the database (provide an ldap filter string)
--base The LDAP base to search from
--scope The LDAP scope to use (BASE will modify one DN only)
--dry-run Do a dry run and do not modify the directory
-H LDAP or LDB URL.  By preference please use a path to the local file as this will allow database transactions to be used
--configfile Path to the smb.conf

Implications

Note that (because expired users cannot log on to LDAP or SAMR) this will prevent users from being able to change their own expired passwords using another account via these protocols.

Therefore if non-windows clients are in use the maximum password age should be set to a value that prevents user passwords from expiring while the workaround is in place.

samba-tool domain passwordsettings set --max-pwd-age=365

This ACL controls password changes over LDAP and SAMR when the authenticated connection is not the same as the user password being changed.

  • Kpasswd (Kerberos) password changes are not affected, nor are machine account password changes over NETLOGON.
  • Windows clients and sssd's ad provider all use Kerberos for password changes so are not impacted.
  • pam_ldap only supports binding as the user changing their own password, so is likewise not impacted.
  • Samba's winbindd binds as the machine account and so password changes from pam_winbind are impacted.

Disable LDAP

The LDAP listener is a can be disabled by adding:

server services = -ldap

to the smb.conf file and restarting Samba.

Implications

As an alternative to a full shutdown, this will be acceptable for a short time or in only a very few situations, LDAP is an important component of an AD domain.

Not Workarounds

Some other tecniques comes to mind but are not actually effective workarounds.

An invalid password check script

In the smb.conf set

check password script = /bin/false

This will prevent user password changes. No database change is required so this is very easy to reverse.

Implications

This only applies to user accounts, including Administrator.

However other accounts (DC accounts in particular) are are also sensitive, they can also modify the domain or read passwords.

Setting a minimum password length

If changing multiple entries in the DB is unacceptable, the most effective, easy to enable and disable, short-term partial mitigation is setting a minimum password length:

Show the existing settings:

bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com'
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Create a pwsettings.ldif file with:

dn: dc=addom,dc=samba,dc=example,dc=com
changetype: modify
replace: minPwdLength
minPwdLength: 2147483639
-

Run this to set the 2GB min pw length.

This is protective as parts of Samba refuse to allocate more than 256MB at a time.

# ldbmodify -H /usr/local/samba/private/sam.ldb pwsettings.ldif
Modified 1 records successfully

This only needs to be done on one DC, it will replicate and disable password changes or resets.

This shows it has been set:

bin/samba-tool domain passwordsettings show
Password informations for domain 'DC=addom,DC=samba,DC=example,DC=com'

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 2147483639
Minimum password age (days): 1
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

This shows how to undo it:

bin/samba-tool domain passwordsettings set -s st/ad_dc/etc/smb.conf  --min-pwd-length=7

Implications

This only applies to user accounts, including Administrator.

However other accounts (DC accounts in particular) are are also sensitive, they can also modify the domain or read passwords, with slightly more complex tools.