ASA-2019-00621 – Samba: AD DC check password script does not receive the full password


Allele Security Alert

ASA-2019-00621

Identifier(s)

ASA-2019-00621, CVE-2019-14833

Title

AD DC check password script does not receive the full password

Vendor(s)

The Samba Project

Product(s)

Samba

Affected version(s)

Samba versions before 4.11.2
Samba versions before 4.10.10
Samba versions before 4.9.15

Fixed version(s)

Samba version 4.11.2
Samba version 4.10.10
Samba version 4.9.15

Proof of concept

Unknown

Description

Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the “check password script” smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The script receives the new cleartext password string in order to run custom password complexity checks like dictionary checks to avoid weak user passwords.

When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string.

Technical details

Unknown

Credits

Simon Fonteneau

Reference(s)

Samba – Security Updates and Information
https://www.samba.org/samba/history/security.html

Samba AD DC check password script does not receive the full password
https://www.samba.org/samba/security/CVE-2019-14833.html

CVE-2019-14833
https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2019-14833

CVE-2019-14833
https://nvd.nist.gov/vuln/detail/ CVE-2019-14833

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 5, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.