Bug 1154289 - (CVE-2019-14833) VUL-0: CVE-2019-14833: samba: Accent with "check script password"
(CVE-2019-14833)
VUL-0: CVE-2019-14833: samba: Accent with "check script password"
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/245235/
CVSSv2:NVD:CVE-2019-14833:4.9:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-10-17 08:38 UTC by Marcus Meissner
Modified: 2020-09-17 19:14 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2019-10-29 10:38:40 UTC
is public

https://www.samba.org/samba/security/CVE-2019-14833.html


CVE-2019-14833.html

=====================================================================
== Subject:     Samba AD DC check password script does not receive
==              the full password.
==
== CVE ID#:     CVE-2019-14833
==
== Versions:    Samba 4.5.0 and later
==
== Summary:     When the password contains multi-byte (non-ASCII)
==              characters, the check password script does not
==              receive the full password string.
=====================================================================

===========
Description
===========

Since Samba Version 4.5.0 a Samba AD DC can use a custom command to
verify the password complexity. The command can be specified with
the "check password script" smb.conf parameter.
This command is called when Samba handles a user password change or
a new user password is set. The script receives the new cleartext
password string in order to run custom password complexity checks
like dictionary checks to avoid weak user passwords.

When the password contains multi-byte (non-ASCII) characters, the
check password script does not receive the full password string.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2)

==========
Workaround
==========

If the check password script parameter is not specified, Samba runs
the internal password quality checks. The internal check makes sure
that a password contains characters from three of five different
characters categories.

=======
Credits
=======

Originally reported by Simon Fonteneau in 2016 and indicated as
security issue by Björn Baumbach.

Patches provided by Björn Baumbach of the Samba Team and SerNet and
Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 3 Swamp Workflow Management 2019-10-30 20:13:32 UTC
SUSE-SU-2019:2866-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-10-30 20:15:17 UTC
SUSE-SU-2019:2868-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Samuel Cabrero 2019-11-04 09:56:28 UTC
Reassign to security team for check and close.
Comment 6 Swamp Workflow Management 2019-11-05 20:17:49 UTC
openSUSE-SU-2019:2442-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.210.ab0549acb05-lp151.2.9.1
Comment 7 Swamp Workflow Management 2019-11-09 17:14:05 UTC
openSUSE-SU-2019:2458-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.11+git.186.d75219614c3-lp150.3.18.2
Comment 13 Marcus Meissner 2020-02-05 07:55:39 UTC
After having a look to the patch it is not required for SLE-12-SP3. The vulnerability only affects to samba "AD DC", a functionality we do not ship in 12 SP3.

-> done
Comment 15 Swamp Workflow Management 2020-09-17 19:14:36 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.