Samba - Security Announcement Archive

CAN-2004-0082: mksmbpasswd shell script may create accounts with easily guessable passwords, Samba 3.0.0 - 3.0.1

Subject:	mksmbpasswd shell script may create accounts 
		with easily guessable passwords
CVE #:		CAN-2004-0082
Affected
Versions:	Samba 3.0.0 - 3.0.1


Description
-----------

It has been confirmed that previous versions of Samba 3.0 are
susceptible to a password initialization bug that could grant an
attacker unauthorized access to a user account created by the
mksmbpasswd.sh shell script.

Samba administrators not wishing to upgrade to the current
version should download the 3.0.2 release, build the pdbedit
tool, and run

   root# pdbedit-3.0.2 --force-initialized-passwords

This will disable all accounts not possessing a valid password
(e.g. the password field has been set a string of X's).

Samba servers running 3.0.2 are not vulnerable to this bug
regardless of whether or not pdbedit has been used to sanitize
the passdb backend.


Credits
--------

This defect was located by Samba developers during a routine 
code audit.


--
Our Code, Our Bugs, Our Responsibility.

				-- The Samba Team