Vulnerability CVE-2017-11103


Published: 2017-07-13

Description:
Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Type:

CWE-345

(Insufficient Verification of Data Authenticity)

Vendor: H5L
Product: Heimdal 
Version:
7.3.0
7.2.0
7.1.0
1.5.2
1.5.1
1.5
1.4
1.3.3
1.3.2
1.3.1
1.3.0
1.2.1
1.2
1.1
1.0.2
1.0.1
1.0
See more versions on NVD
Vendor: Samba
Product: Samba 
Version:
4.4.4
4.4.3
4.4.2
4.4.1
4.4.0
4.3.9
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.11
4.3.10
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.14
4.2.13
4.2.12
4.2.11
4.2.10
4.2.1
4.2.0
4.1.9
4.1.8
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.23
4.1.22
4.1.21
4.1.20
4.1.2
4.1.19
4.1.18
4.1.17
4.1.16
4.1.15
4.1.14
4.1.13
4.1.12
4.1.11
4.1.10
4.1.1
4.1.0
4.0.9
4.0.8
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.26
4.0.25
4.0.24
4.0.23
4.0.22
4.0.21
4.0.20
4.0.2
4.0.19
4.0.18
4.0.17
4.0.16
4.0.15
4.0.14
4.0.13
4.0.12
4.0.11
4.0.10
4.0.1
4.0.0
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.debian.org/security/2017/dsa-3912
http://www.h5l.org/advisories.html?show=2017-07-11
http://www.securityfocus.com/bid/99551
http://www.securitytracker.com/id/1038876
http://www.securitytracker.com/id/1039427
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0
https://support.apple.com/HT208112
https://support.apple.com/HT208144
https://support.apple.com/HT208221
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
https://www.orpheus-lyre.info/
https://www.samba.org/samba/security/CVE-2017-11103.html

Related CVE
CVE-2018-1057
On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privi...
CVE-2018-1050
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls c...
CVE-2017-2619
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
CVE-2018-5764
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
CVE-2017-17433
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote atta...
CVE-2017-17434
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechan...
CVE-2017-15275
Samba before 4.7.3 might allow remote attackers to obtain sensitive information by leveraging failure of the server to clear allocated heap memory.
CVE-2017-14746
Use-after-free vulnerability in Samba 4.x before 4.7.3 allows remote attackers to execute arbitrary code via a crafted SMB1 request.

Copyright 2018, cxsecurity.com

 

Back to Top