Authentication bypass in Samba - CVE-2017-11103
Published: July 12, 2017
Vulnerability identifier: #VU7482
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-11103
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Samba
Affected software:
Samba
Samba
Detailed vulnerability description
The vulnerability allows a remote attacker to impersonate a trusted server and intercept users' credentials.
The vulnerability exists due to the KDC-REP service name is stored in unencrypted "ticket" instead of encrypted "enc_part" and used later by the _krb5_extract_ticket() function. An attacker in local network can perform a man-in-the-middle attack, intercept the KDC-REP service name and impersonate a trusted server.
Successful exploitation of the vulnerability may allow an attacker to obtain credentials of all Samba users from Samba DRS replication service during password replication process between trusted and fake DC.
The vulnerability exists due to the KDC-REP service name is stored in unencrypted "ticket" instead of encrypted "enc_part" and used later by the _krb5_extract_ticket() function. An attacker in local network can perform a man-in-the-middle attack, intercept the KDC-REP service name and impersonate a trusted server.
Successful exploitation of the vulnerability may allow an attacker to obtain credentials of all Samba users from Samba DRS replication service during password replication process between trusted and fake DC.
How to mitigate CVE-2017-11103
Update to version 4.6.6, 4.5.12 or 4.4.15