CVE-2018-1057
high-risk
Published 2018-03-13
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
Do I need to act?
~
7.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (5)
References (20)
Third Party Advisory
http://www.securityfocus.com/bid/103382
Third Party Advisory
http://www.securitytracker.com/id/1040494
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1553553
Third Party Advisory
https://security.gentoo.org/glsa/201805-07
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180313-0001/
Third Party Advisory
https://usn.ubuntu.com/3595-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4135
Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_08
Third Party Advisory
http://www.securityfocus.com/bid/103382
Third Party Advisory
http://www.securitytracker.com/id/1040494
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1553553
Third Party Advisory
https://security.gentoo.org/glsa/201805-07
Third Party Advisory
https://security.netapp.com/advisory/ntap-20180313-0001/
Third Party Advisory
https://usn.ubuntu.com/3595-1/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4135
Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_08
52
/ 100
high-risk
Severity
30/34 · Critical
Exploitability
10/34 · Low
Exposure
12/34 · Low