===================================================================== == Subject: Samba AD DC check password script does not receive == the full password. == == CVE ID#: CVE-2019-14833 == == Versions: Samba 4.5.0 and later == == Summary: When the password contains multi-byte (non-ASCII) == characters, the check password script does not == receive the full password string. ===================================================================== =========== Description =========== Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The script receives the new cleartext password string in order to run custom password complexity checks like dictionary checks to avoid weak user passwords. When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.X, 4.10.X and 4.9.X have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2) ========== Workaround ========== If the check password script parameter is not specified, Samba runs the internal password quality checks. The internal check makes sure that a password contains characters from three of five different characters categories. ======= Credits ======= Originally reported by Simon Fonteneau in 2016 and indicated as security issue by Björn Baumbach. Patches provided by Björn Baumbach of the Samba Team and SerNet and Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================