Samba AD DC check password script does not receive

Description

Since Samba Version 4.5.0 a Samba AD DC can use a custom command to
verify the password complexity. The command can be specified with
the “check password script” smb.conf parameter.
This command is called when Samba handles a user password change or
a new user password is set. The script receives the new cleartext
password string in order to run custom password complexity checks
like dictionary checks to avoid weak user passwords.

When the password contains multi-byte (non-ASCII) characters, the
check password script does not receive the full password string.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2)

Workaround

If the check password script parameter is not specified, Samba runs
the internal password quality checks. The internal check makes sure
that a password contains characters from three of five different
characters categories.

Credits

Originally reported by Simon Fonteneau in 2016 and indicated as
security issue by Björn Baumbach.

Patches provided by Björn Baumbach of the Samba Team and SerNet and
Andrew Bartlett of the Samba Team and Catalyst.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team