In October 2013, Catalyst was tasked with implementing 'bad password lockout' in Samba's Active Directory domain controller, aiming to align with Microsoft's standards. The API in focus, SamrUnicodeChangePasswordUser2, required meticulous testing and code implementation to match Windows semantics.
Uncovering Security Implications
Initial tests revealed critical gaps: Samba's AD DC lacked bad password lockout, and the older Samba DC code for NT4 handled the feature inadequately. Unlike logon scenarios where bad password counts incremented and locked out users, password changes lacked this critical security check, exposing a serious flaw.
Collaboration with Microsoft: Reporting and Fixing
To ensure compliance with Windows behaviour, tests were conducted, uncovering an alarming vulnerability during password changes. This flaw allowed attackers to exploit error code patterns, revealing 'right password, but locked out' situations. The issue was promptly reported to Microsoft, adding complexity to the coordination between organisations.
Resolution and Collaboration Process
Months passed as Microsoft worked on a fix and conducted variant analysis. In March 2014, Microsoft's release (MS-14-016) acknowledged Andrew Bartlett of Catalyst and the Samba Team for discovering the issue. Simultaneously, Samba addressed CVE-2013-4496 in version 4.1.6, ensuring proper support on their AD DC.
Ethical Responsibility and Continued Collaboration
While challenging, the collaboration exemplified the importance of cross-organisational cooperation in security matters. Catalyst and Samba demonstrated a moral obligation, given their expertise, to safeguard Microsoft's customers. Such partnerships remain crucial in proactively identifying and addressing security vulnerabilities within complex systems.