Vulnerability Details : CVE-2018-16857
Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.
Products affected by CVE-2018-16857
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-16857
0.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-16857
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST | |
7.4
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
Red Hat, Inc. |
CWE ids for CVE-2018-16857
-
The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2018-16857
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857
1649278 – (CVE-2018-16857) CVE-2018-16857 samba: Bad password count in AD DC not always effectiveIssue Tracking;Mitigation;Third Party Advisory
-
https://security.gentoo.org/glsa/202003-52
Samba: Multiple vulnerabilities (GLSA 202003-52) — Gentoo security
-
https://www.samba.org/samba/security/CVE-2018-16857.html
Samba - Security Announcement ArchiveMitigation;Vendor Advisory;Patch
-
https://security.netapp.com/advisory/ntap-20181127-0001/
November 2018 Samba Vulnerabilities in NetApp StorageGRID Products | NetApp Product SecurityThird Party Advisory
-
http://www.securityfocus.com/bid/106024
Samba Security Bypass and Denial of Service VulnerabilitiesThird Party Advisory;VDB Entry
Jump to