A flaw was found in Samba in the way it handles user password change or new password for samba user. Samba AD DC can be configured to use custom script to check for password complexity which can fail to verify password complexity when non-ASCII characters are used in password which could lead to weak passwords being set for samba users making it vulnerable to dictionary attacks. Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=12438
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
Mitigation: If the check password script parameter is not specified, Samba runs the internal password quality checks. The internal check makes sure that a password contains characters from three of five different characters categories.
Acknowledgments: Name: the Samba project Upstream: Simon Fonteneau
External References: https://www.samba.org/samba/security/CVE-2019-14833.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1766559]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14833