CVE-2018-1057
published 2018-03-13CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing…
PriorityP355high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
10.31%
95.1th percentile
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.7.4+dfsg-2 (bookworm) | samba 2:4.7.4+dfsg-2 (bookworm) |
| msrc | cbl2_samba_4.12.5-6_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| samba | samba | — | — |
| samba | samba | >= 0 < 2:4.7.4+dfsg-2 | 2:4.7.4+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.4+dfsg-2 | 2:4.7.4+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.4+dfsg-2 | 2:4.7.4+dfsg-2 |
| samba | samba | >= 0 < 2:4.7.4+dfsg-2 | 2:4.7.4+dfsg-2 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.14.04.14 | 2:4.3.11+dfsg-0ubuntu0.14.04.14 |
| samba | samba | >= 0 < 2:4.3.11+dfsg-0ubuntu0.16.04.13 | 2:4.3.11+dfsg-0ubuntu0.16.04.13 |
| samba | samba | >= 4.0.0 < 4.5.16 | 4.5.16 |
| samba | samba | >= 4.6.0 < 4.6.14 | 4.6.14 |
| samba | samba | >= 4.7.0 < 4.7.6 | 4.7.6 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2018-03-13·CVSS 4.3
CVE-2018-1050 [MEDIUM] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Björn Baumbach discovered that Samba incorrectly validated permissions when
changing account passwords via LDAP. An authenticated attacker could use this
issue to change the password of other users, including administrators, and
perform actions as those users. (CVE-2018-1057)
It was discovered that Samba incorrectly validated inputs to the RPC spoolss
service. An authenticated attacker could use this issue to cause the service to
crash, resulting in a denial of service. (CVE-2018-1050)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: Authenticated users can change other users password in an AD DC configuration
vendor_redhat·2018-03-13·CVSS 8.8
CVE-2018-1057 [HIGH] CWE-863 samba: Authenticated users can change other users password in an AD DC configuration
samba: Authenticated users can change other users password in an AD DC configuration
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
A flaw was found in the way Samba AD DC validated user permissions. An authenticated attacker could use this flaw to change any other users passwords, including administrative users.
Statement: The versions of samba shipped with Red Hat Enterprise Linux 6 and 7 do not support Active Directory Domain Controller (AD-DC) mode. Therefore this flaw does not affect Red Hat Enterprise Linux 6 and 7.
Mitigation: Revok
Microsoft
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' p
vendor_msrc·2018-03-13·CVSS 8.8
CVE-2018-1057 [HIGH] CWE-863 On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' p
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords including administrative users and privileged service accounts (eg Domain Controllers).
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this bl
Debian
CVE-2018-1057: samba - On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards i...
vendor_debian·2018·CVSS 8.8
CVE-2018-1057 [HIGH] CVE-2018-1057: samba - On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards i...
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
Scope: local
bookworm: resolved (fixed in 2:4.7.4+dfsg-2)
bullseye: resolved (fixed in 2:4.7.4+dfsg-2)
forky: resolved (fixed in 2:4.7.4+dfsg-2)
sid: resolved (fixed in 2:4.7.4+dfsg-2)
trixie: resolved (fixed in 2:4.7.4+dfsg-2)
GHSA
GHSA-6r4h-vw53-wmvv: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4
ghsa_unreviewed·2022-05-13
CVE-2018-1057 [HIGH] CWE-863 GHSA-6r4h-vw53-wmvv: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
OSV
samba vulnerabilities
osv·2018-03-13·CVSS 4.3
CVE-2018-1057 [MEDIUM] samba vulnerabilities
samba vulnerabilities
Björn Baumbach discovered that Samba incorrectly validated permissions when
changing account passwords via LDAP. An authenticated attacker could use this
issue to change the password of other users, including administrators, and
perform actions as those users. (CVE-2018-1057)
It was discovered that Samba incorrectly validated inputs to the RPC spoolss
service. An authenticated attacker could use this issue to cause the service to
crash, resulting in a denial of service. (CVE-2018-1050)
OSV
CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4
osv·2018-03-13·CVSS 8.8
CVE-2018-1057 [HIGH] CVE-2018-1057: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration [fedora-all]
bugzilla·2018-03-13·CVSS 8.8
CVE-2018-1057 [HIGH] CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration [fedora-all]
CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration
bugzilla·2018-03-09·CVSS 8.8
CVE-2018-1057 [HIGH] CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration
CVE-2018-1057 samba: Authenticated users can change other users password in an AD DC configuration
As per samba upstream advisory:
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users passwords, including administrative users.
Discussion:
Upstream describes the following workaround:
Rewoke the change passwords right for everyone from all user objects (including
computers) in the directory. Note that this will prevent users from being able
to change their own expired passwords, so the maximum password age should be set
to a value that prevents user passwords from expiring while the workaround is in
place.
The change password right in AD is an
Bugzilla
CVE-2018-5785 openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c
bugzilla·2018-01-23·CVSS 6.5
CVE-2018-5785 [MEDIUM] CVE-2018-5785 openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c
CVE-2018-5785 openjpeg: integer overflow in opj_j2k_setup_encoder function in openjp2/j2k.c
A flaw was found in OpenJPEG 2.3.0, there is an integer overflow caused by an out-of-bounds left shift in the opj_j2k_setup_encoder function (openjp2/j2k.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted bmp file.
Reference:
https://github.com/uclouvain/openjpeg/issues/1057
Discussion:
Created mingw-openjpeg2 tracking bugs for this issue:
Affects: fedora-all [bug 1537761]
Created openjpeg tracking bugs for this issue:
Affects: epel-all [bug 1537762]
Affects: fedora-all [bug 1537759]
Created openjpeg2 tracking bugs for this issue:
Affects: fedora-all [bug 1537760]
---
Analysis:
Running openjpeg compiled with UBSAN, i observe the following:
Tenable
April Vulnerability of the Month: Password Free-for-All Via Samba Active Directory Domain Controller Vulnerability
blogs_tenable·2018-04-27
April Vulnerability of the Month: Password Free-for-All Via Samba Active Directory Domain Controller Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
April Vulnerability of the Month: Password Free-for-All Via Samba Active Directory Domain Controller Vulnerability
blogs_tenable·2018-04-27·CVSS 8.8
[HIGH] April Vulnerability of the Month: Password Free-for-All Via Samba Active Directory Domain Controller Vulnerability
Blog / Research
Subscribe
# April Vulnerability of the Month: Password Free-for-All Via Samba Active Directory Domain Controller Vulnerability
Tenable Research
April 27, 2018
3 Min Read
Every month, we ask our researchers to nominate a vulnerability of the month. Novelty, sophistication or just plain weirdness are some of the potential criteria for selecting a vulnerability of the month. After the nominations are collected, the candidates are shortlisted and voted on by our 70-plus-member research organization, combining the total experience and knowledge of Tenable Research to identify the vulnerability of the month.
### Background
In mid-March, Samba released an advisory on two critical vulnerabilities. One of these, CVE-2018-1057, allows unprivileged users to change any user pass
http://www.securityfocus.com/bid/103382http://www.securitytracker.com/id/1040494https://bugzilla.redhat.com/show_bug.cgi?id=1553553https://lists.debian.org/debian-lts-announce/2019/04/msg00013.htmlhttps://security.gentoo.org/glsa/201805-07https://security.netapp.com/advisory/ntap-20180313-0001/https://usn.ubuntu.com/3595-1/https://www.debian.org/security/2018/dsa-4135https://www.samba.org/samba/security/CVE-2018-1057.htmlhttps://www.synology.com/support/security/Synology_SA_18_08http://www.securityfocus.com/bid/103382http://www.securitytracker.com/id/1040494https://bugzilla.redhat.com/show_bug.cgi?id=1553553https://lists.debian.org/debian-lts-announce/2019/04/msg00013.htmlhttps://security.gentoo.org/glsa/201805-07https://security.netapp.com/advisory/ntap-20180313-0001/https://usn.ubuntu.com/3595-1/https://www.debian.org/security/2018/dsa-4135https://www.samba.org/samba/security/CVE-2018-1057.htmlhttps://www.synology.com/support/security/Synology_SA_18_08
2018-03-13
Published