The Samba-Bugzilla – Attachment 15502 Details for
Bug 12438
CVE-2019-14833 [SECURITY] Accent with "check password script"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2019-14833 advisory
advisory-CVE-2019-14833.txt (text/plain), 2.21 KB, created by
Björn Baumbach
on 2019-09-30 11:56:25 UTC
(
hide
)
Description:
CVE-2019-14833 advisory
Filename:
MIME Type:
Creator:
Björn Baumbach
Created:
2019-09-30 11:56:25 UTC
Size:
2.21 KB
patch
obsolete
>===================================================================== >== Subject: Samba AD DC check password script does not receive >== the full password. >== >== CVE ID#: CVE-2019-14833 >== >== Versions: Samba 4.5.0 and later >== >== Summary: When the password contains multi-byte (non-ASCII) >== characters, the check password script does not >== receive the full password string. >===================================================================== > >=========== >Description >=========== > >Since Samba Version 4.5.0 a Samba AD DC can use a custom command to >verify the password complexity. The command can be specified with >the "check password script" smb.conf parameter. >This command is called when Samba handles a user password change or >a new user password is set. The script receives the new cleartext >password string in order to run custom password complexity checks >like dictionary checks to avoid weak user passwords. > >When the password contains multi-byte (non-ASCII) characters, the >check password script does not receive the full password string. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.11.X, 4.10.X and 4.9.X have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2) > >========== >Workaround >========== > >If the check password script parameter is not specified, Samba runs >the internal password quality checks. The internal check makes sure >that a password contains characters from three of five different >characters categories. > >======= >Credits >======= > >Originally reported by Simon Fonteneau in 2016 and indicated as >security issue by Björn Baumbach. > >Patches provided by Björn Baumbach of the Samba Team and SerNet and >Andrew Bartlett of the Samba Team and Catalyst. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15502">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
bbaumbach
:
review+
Actions:
View
Attachments on
bug 12438
:
15477
| 15502 |
15503
|
15506
|
15531