CVE-2019-14907
Last modified
CVE-2019-14907 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. EPSS estimates a 3.15% chance of exploitation in the next 30 days.
Description
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process(such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Samba | Samba | >= 4.9.0, < 4.9.18 |
| Samba | Samba | >= 4.10.0, < 4.10.12 |
| Samba | Samba | >= 4.11.0, < 4.11.5 |
| Fedoraproject | Fedora | 30 |
| Fedoraproject | Fedora | 31 |
| Redhat | Storage | 3.0 |
| Redhat | Enterprise Linux | 7.0 |
| Redhat | Enterprise Linux | 8.0 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 19.04 |
| Canonical | Ubuntu Linux | 19.10 |
| Synology | Directory Server | All versions |
| Synology | Router Manager | 1.2 |
| Synology | Skynas | All versions |
| Synology | Diskstation Manager | 6.2 |
| Debian | Debian Linux | 9.0 |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.htmlThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14907Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00023.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-52Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200122-0001/Third Party Advisory
- https://usn.ubuntu.com/4244-1/Third Party Advisory
- https://www.samba.org/samba/security/CVE-2019-14907.htmlVendor Advisory
- https://www.synology.com/security/advisory/Synology_SA_20_01Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00055.htmlThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14907Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00023.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-52Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200122-0001/Third Party Advisory
- https://usn.ubuntu.com/4244-1/Third Party Advisory
- https://www.samba.org/samba/security/CVE-2019-14907.htmlVendor Advisory
- https://www.synology.com/security/advisory/Synology_SA_20_01Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-14907?
How severe is CVE-2019-14907?
How do I fix CVE-2019-14907?
Are you affected by CVE-2019-14907?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST