CVE-2018-1057
First published: Fri Mar 09 2018(Updated: )
As per samba upstream advisory: On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users passwords, including administrative users.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/samba | 2:4.13.13+dfsg-1~deb11u6 2:4.17.12+dfsg-0+deb12u1 2:4.21.0+dfsg-1 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =17.10 | |
| Debian GNU/Linux | =8.0 | |
| Samba | >=4.0.0<4.5.16 | |
| Samba | >=4.6.0<4.6.14 | |
| Samba | >=4.7.0<4.7.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/103382
- http://www.securitytracker.com/id/1040494
- https://bugzilla.redhat.com/show_bug.cgi?id=1553553
- https://lists.debian.org/debian-lts-announce/2019/04/msg00013.html
- https://security.gentoo.org/glsa/201805-07
- https://security.netapp.com/advisory/ntap-20180313-0001/
- https://usn.ubuntu.com/3595-1/
- https://www.debian.org/security/2018/dsa-4135
- https://www.samba.org/samba/security/CVE-2018-1057.html
- https://www.synology.com/support/security/Synology_SA_18_08
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1553553#c3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1554756
- https://www.samba.org/samba/ftp/patches/security/samba-4.4.16-CVE-2018-1057.patch
- https://www.samba.org/samba/ftp/patches/security/samba-4.3.13-CVE-2018-1057.patch
- https://launchpad.net/bugs/cve/CVE-2018-1057
- https://wiki.samba.org/index.php/CVE-2018-1057
- https://security-tracker.debian.org/tracker/CVE-2018-1057
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1057
- https://nvd.nist.gov/vuln/detail/CVE-2018-1057
- https://ubuntu.com/security/CVE-2018-1057
Frequently Asked Questions
What is the severity of CVE-2018-1057?
CVE-2018-1057 is considered a critical vulnerability due to its potential for unauthorized password changes by authenticated users.
How do I fix CVE-2018-1057?
To fix CVE-2018-1057, update Samba to a version that is not affected, specifically versions 4.13.14 or higher, 4.17.13 or higher, or 4.21.1 or higher.
What are the affected versions of Samba for CVE-2018-1057?
CVE-2018-1057 affects all versions of Samba from 4.0.0 to 4.11.x, including specific subversions of those series.
What systems are impacted by CVE-2018-1057?
CVE-2018-1057 impacts systems running Samba on various distributions including Debian and Ubuntu versions 14.04, 16.04, and 17.10.
Can authenticated users exploit CVE-2018-1057?
Yes, authenticated users can exploit CVE-2018-1057 to change passwords of any user, including administrative accounts.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-1057
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- package-manager/debian
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/17.10
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- vendor/samba
- canonical/samba
- version/samba/4.0.0
- version/samba/4.6.0
- version/samba/4.7.0