CVE-2018-16857 — Improperly Implemented Security Check for Standard in Samba

CWE-358 — Improperly Implemented Security Check for Standard8 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

2.2%

top 15.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Debian Samba

Timeline

PublishedNov 28

Latest updateMay 13

Description

Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDsamba/samba4.9.0 — 4.9.3

▶debiandebian/samba< samba 2:4.9.2+dfsg-2 (bookworm)

▶Debiansamba/samba< 2:4.9.2+dfsg-2+3

Patches

Patch: www.samba.org ↗Patch: www.samba.org ↗

🔴Vulnerability Details

GHSA

GHSA-qhgj-r7g7-whqw: Samba from version 4↗2022-05-13

▶

OSV

CVE-2018-16857: Samba from version 4↗2018-11-28

▶

📋Vendor Advisories

Red Hat

samba: Bad password count in AD DC not always effective↗2018-11-20

▶

Debian

CVE-2018-16857: samba - Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations...↗2018

▶

💬Community

Bugzilla

CVE-2019-3811 sssd: fallback_homedir returns '/' for empty home directories in passwd file↗2018-12-05

▶

Bugzilla

CVE-2018-16857 samba: Bad password count in AD DC not always effective [fedora-all]↗2018-11-28

▶

Bugzilla

CVE-2018-16857 samba: Bad password count in AD DC not always effective↗2018-11-13

▶