Vulnerability Notification: Samba LDAP AD DC Privilege Escalation

[Overview]

LDAP is an Internet standard protocol designed for directory services. Active Directory is the directory service used by Microsoft system on Windows domain networks, which contain domain controllers that run various services. The new version of Samba includes an LDAP server that can run as an Active Directory domain controller. Recently, Samba repaired a privilege escalation vulnerability.

[Vulnerability Details]

CVE-2018-1057: A privilege escalation vulnerability exists when Samba is configured as an Active Directory domain controller. Authenticated users can use LDAP to change passwords for arbitrary users and computer accounts, such as admin users and privileged service accounts, without the need for old passwords.

Vulnerability Source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1057

[Severity]

Critical

[Affected Version]

  • Samba Team Samba 4.0.0 through 4.4.x
  • Samba Team Samba 4.5.x prior to 4.5.16
  • Samba Team Samba 4.6.x prior to 4.6.14
  • Samba Team Samba 4.7.x prior to 4.7.6

[Suggestions]

Only allow trusted users to bind to servers

Upgrade to Samba latest fixes 4.5.16, 4.6.14, 4.7.6

Official statement: https://wiki.samba.org/index.php/CVE-2018-1057

Fix version: https://www.samba.org/samba/history/security.html

[Hillstone Networks Solution]

Hillstone Networks has added signatures to the IPS signature database version 2.1.233. By deploying any Hillstone Networks solution with the IPS function, the Samba LDAP AD DC Privilege Escalation vulnerability can be quickly detected and effectively intercepted, preventing server from being attacked.

Threat Events Detected by Hillstone Solutions

Vulnerability Detail Description