
Samba: Authenticated users can change other users' password - f2n
https://www.samba.org/samba/security/CVE-2018-1057.html
======
loeg
Good news: Only affects the AD / LDAP component. Bad news: That component is
enabled by default. Good news: If you don't use Samba LDAP, an effective
mitigation is to just disable the ldap service (search the fine article for
"Disable LDAP").

------
cm2187
Does synology use samba for SMB drives?

~~~
lathiat
Only applies to a samba domain controller, so likely not relevant

------
NKCSS
This is pretty major and can go right in your exploiter's toolbag for
privilege escalation scenarios.

~~~
golergka
Isn't changing someone else's password the most un-stealthy kind of exploit?

~~~
amaccuish
Not if you change a DC password or the KRBTGT password. Then you have full
control of the domain.

------
sebazzz
This does not apply when the Samba server is a domain member instead of domain
controller, right?

~~~
amaccuish
correct.

------
jessaustin
Haven't used samba much; this is enlightening. Previously I had assumed it
just used the same auth system (e.g. PAM) as the host. That would entail its
own complications but would probably have prevented this bug.

~~~
amaccuish
It would not be possible to have an AD server using PAM, AD protocols need the
NT hash.

Samba can only use PAM when plaintext passwords are used, which is not
supported at all with AD (Samba as standalone requires you to store passwords
in it's own database). As an Active Directory server, passwords are stored in
the directory with access provided by multiple protocols. This was an issue in
the LDAP ACL verification.

~~~
totony
LDAP always has the userPassword attribute which is fully comptible with
Linux, you just have to change both at the same times (this is in fact what i
did for one of my clients)

