Vulnerability CVE-2017-11103


Published: 2017-07-13

Description:
Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

Vendor: H5L
Product: Heimdal 
Version:
7.3.0
7.2.0
7.1.0
1.5.2
1.5.1
1.5
1.4
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2
1.1
1.0.2
1.0.1
1.0
See more versions on NVD
Vendor: Samba
Product: Samba 
Version:
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.11
4.3.10
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.14
4.2.13
4.2.12
4.2.11
4.2.10
4.2.1
4.2.0
4.1.9
4.1.8
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.23
4.1.22
4.1.21
4.1.20
4.1.2
4.1.19
4.1.18
4.1.17
4.1.16
4.1.15
4.1.14
4.1.13
4.1.12
4.1.11
4.1.10
4.1.1
4.1.0
4.0.9
4.0.8
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.26
4.0.25
4.0.24
4.0.23
4.0.22
4.0.21
4.0.20
4.0.2
4.0.19
4.0.18
4.0.17
4.0.16
4.0.15
4.0.14
4.0.13
4.0.12
4.0.11
4.0.10
4.0.1
4.0.0
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.debian.org/security/2017/dsa-3912
http://www.h5l.org/advisories.html?show=2017-07-11
http://www.securityfocus.com/bid/99551
http://www.securitytracker.com/id/1038876
http://www.securitytracker.com/id/1039427
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
https://support.apple.com/HT208112
https://support.apple.com/HT208144
https://support.apple.com/HT208221
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
https://www.orpheus-lyre.info/
https://www.samba.org/samba/security/CVE-2017-11103.html

Related CVE
CVE-2018-5764
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
CVE-2017-17433
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote atta...
CVE-2017-17434
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechan...
CVE-2017-15275
Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory.
CVE-2017-14746
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.
CVE-2017-16548
The receive_xattr function in xattrs.c in rsync 3.1.2 and 3.1.3-development does not check for a trailing '\0' character in an xattr name, which allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) ...
CVE-2017-15994
rsync 3.1.3-development before 2017-10-24 mishandles archaic checksums, which makes it easier for remote attackers to bypass intended access restrictions. NOTE: the rsync development branch has significant use beyond the rsync developers, e.g., the c...
CVE-2017-9461
smbd in Samba before 4.4.10 and 4.5.x before 4.5.6 has a denial of service vulnerability (fd_open_atomic infinite loop with high CPU usage and memory consumption) due to wrongly handling dangling symlinks.

Copyright 2018, cxsecurity.com

 

Back to Top