Synology-SA-18:08 Samba

Publish Time: 2018-03-14 16:54:07 UTC+8

Last Updated: 2018-03-27 16:03:27 UTC+8



CVE-2018-1057 allows remote authenticated users to change other users' passwords via a susceptible version of Synology DiskStation Manager (DSM) with Active Directory Server installed.

Synology rates the overall severity as Important according to CVSS v3.0 metrics. However, the vulnerable functionality is disabled by default and there is no user interface to activate this option. Synology decides to postpone the fix until the upcoming update within the next 90 days.

Affected Products

Product Severity Fixed Release Availability
Active Directory Server Important Upgrade DSM 6.1 to 6.1.6-15266.


If you need immediate assistance, please contact


  • CVE-2018-1057
    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/RL:T
    • On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).



Revision Date Description
1 2018-03-14 Initial public release.
2 2018-03-27 Update for Active Directory Server is now available in Affected Products.