CVE-2018-16857

Name of the Vulnerable Software and Affected Versions: Samba versions 4.9.0 through 4.9.3

Description: The issue is related to the configuration of AD DC in Samba, where the mechanism for watching bad passwords to restrict brute forcing may not function as intended if the window for monitoring is set to more than 3 minutes. This primarily poses a risk to domains that have been upgraded from Samba 4.8 and earlier, as the password policies may not have been re-tested after the upgrade. The vulnerability is associated with an incorrect implementation of security checks for standard system elements, which could allow a remote attacker to compromise the integrity of information.

Recommendations: For Samba versions 4.9.0 through 4.9.3, consider re-configuring the password watching mechanism to ensure it functions correctly, especially in domains upgraded from Samba 4.8 and earlier. As a temporary workaround, manual testing of password policies should be re-done after the upgrade to confirm they apply as expected. Additionally, restrict access to the AD DC configuration to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.