== Subject:     CVE-2013-4496: Password lockout not enforced for SAMR password changes
== CVE ID#:     CVE-2013-4496
== Versions:    All versions of Samba later than 3.4.0
== Summary:     In Samba's SAMR server we neglect to ensure that
==              attempted password changes will update the bad password
==              count, nor set the lockout flags.
==              This would allow a user unlimited attempts against the
==              password by simply calling ChangePasswordUser2
==              repeatedly.
==              This is available without any other authentication.


Samba versions 3.4.0 and above allow the administrator to implement
locking out Samba accounts after a number of bad password attempts.

However, all released versions of Samba did not implement this check for
password changes, such as are available over multiple SAMR and RAP
interfaces, allowing password guessing attacks.

As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of March 11th 2014).


Most sites do not configure the bad password lockout feature.  Typically
it is only enabled when Samba is configured as a Domain Controller, so
most file server deployments are not impacted.

Additionally, for this feature to be effective Samba must be the sole
source of authentication on the network.  (Otherwise synchronised
services such as an LDAP backend or the UNIX /etc/shadow file could be
the weak point instead).

This patch does not implement bad password lockout for the Active
Directory Domain Controller.  The bad password lockout feature is not
implemented at all in that configuration.  The Samba Team plans to
address this deficiency as feature in a future release of the AD DC.

The patch to remove the samr_ChangePasswordUser call is not strictly
required, as this call is only available to administrators already able
to reset passwords.  We include it to avoid a future well-meaning patch
that might restore it as a valid password-change mechanism.  If used, it
would also bypass restrictions on password complexity, history and any
restriction defined via the 'unix passwd sync', 'pam password change'
and 'ldap password sync' smb.conf options.

Patch Availability

Patches addressing all these issues have been posted to:

Samba versions 3.6.23, 4.0.16, and 4.1.6 have been released to
address this issue. Patches for 3.4.17 and 3.5.22 have not been
provided as these are now beyond our security support window.




This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Catalyst IT.  Special thanks also go to Univention GmbH.

Patches provided by Andrew Bartlett, Stefan Metzmacher of SerNet and Jeremy Allison of the Samba

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team