CVE-2018-16857
HIGHSamba 4.9.0-4.9.3 - Improperly Implemented Security Check for Standard
Title source: llmDescription
Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20181127-0001/
Issue Tracking, Mitigation, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106024
Mitigation, Patch, Vendor Advisory x_refsource_confirm
https://www.samba.org/samba/security/CVE-2018-16857.html
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202003-52
Scores
CVSS v3
7.4
EPSS
0.0230
EPSS Percentile
81.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-358
Status
published
Products (1)
samba/samba
4.9.0 - 4.9.3
Published
Nov 28, 2018
Tracked Since
Feb 18, 2026