CVE-2018-16857

HIGH

Samba <4.9.3 - Info Disclosure

Title source: llm

Description

Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.

References (5)

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20181127-0001/

[Issue Tracking, Mitigation, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16857

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/106024

[Mitigation, Patch, Vendor Advisory] https://www.samba.org/samba/security/CVE-2018-16857.html

[Third Party Advisory] https://security.gentoo.org/glsa/202003-52

Scores

CVSS v3 7.4

EPSS 0.0224

EPSS Percentile 84.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-358

Status published

Products (1)

samba/samba 4.9.0 - 4.9.3

Published Nov 28, 2018

Tracked Since Feb 18, 2026