It was found that the 'bad password observation window' was ineffective when set to a value greater than 3 minutes. This could allow for brute force password attacks in some situations.
Find out more about CVE-2018-16857 from the MITRE CVE dictionary dictionary and NIST NVD.
This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 7.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
| Platform | Package | State |
|---|---|---|
| Red Hat Virtualization 4 | samba | Not affected |
| Red Hat Gluster Storage 3 | samba | Not affected |
| Red Hat Enterprise Linux 7 | samba | Not affected |
| Red Hat Enterprise Linux 6 | samba4 | Not affected |
| Red Hat Enterprise Linux 6 | samba | Not affected |
| Red Hat Enterprise Linux 5 | samba | Not affected |
| Red Hat Enterprise Linux 5 | samba3x | Not affected |
Bad password lockout is not configured by default, it is only
effective if a threshold has been set with (eg):
samba-tool domain passwordsettings set --account-lockout-threshold=3
To mitigate the issue set a shorter 'Reset account lockout after'
window (the ineffective default is 30, anything less than 15 will
work):
samba-tool domain passwordsettings set --reset-account-lockout-after=15
NOTE: If a fine-grained password policy (PSO) is set, this must also
be done on each PSO.
Vulmon