4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.0%
The version of Samba running on the remote host is 4.5.x, 4.6.x, 4.7.x, 4.8.x, 4.9.x prior to 4.9.15, 4.10.x prior to 4.10.10, or 4.11.x prior to 4.11.2. It is, therefore, affected by a password complexity check bypass vulnerability. An authenticated attacker could use this flaw to change their password to a weak password that fails the configured password complexity check.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(130628);
script_version("1.4");
script_cvs_date("Date: 2019/12/13");
script_cve_id("CVE-2019-14833");
script_name(english:"Samba 4.5.x / 4.6.x / 4.7.x / 4.8.x / 4.9.x < 4.9.15 / 4.10.x < 4.10.10 / 4.11.x < 4.11.2 Password Complexity Check Bypass (CVE-2019-14833)");
script_summary(english:"Checks the version of Samba.");
script_set_attribute(attribute:"synopsis", value:
"The remote Samba server is potentially affected by a password complexity check bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Samba running on the remote host is 4.5.x, 4.6.x, 4.7.x, 4.8.x, 4.9.x prior to 4.9.15, 4.10.x prior to
4.10.10, or 4.11.x prior to 4.11.2. It is, therefore, affected by a password complexity check bypass vulnerability. An
authenticated attacker could use this flaw to change their password to a weak password that fails the configured
password complexity check.");
# https://www.samba.org/samba/security/CVE-2019-14833.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0f566831");
script_set_attribute(attribute:"solution", value:
"Upgrade to Samba version 4.9.15 / 4.10.10 / 4.11.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14833");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/29");
script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:samba:samba");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("smb_nativelanman.nasl");
script_require_keys("SMB/NativeLanManager", "SMB/samba", "Settings/ParanoidReport");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('vcf.inc');
include('vcf_extras.inc');
if (report_paranoia < 2) audit(AUDIT_PARANOID);
app = vcf::samba::get_app_info();
vcf::check_granularity(app_info:app, sig_segments:3);
constraints = [
{'min_version':'4.5.0', 'fixed_version':'4.9.15'},
{'min_version':'4.10.0rc0', 'fixed_version':'4.10.10'},
{'min_version':'4.11.0rc0', 'fixed_version':'4.11.2'}
];
vcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_WARNING, strict:FALSE);
4.9 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:P/A:N
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.0%