#VU7482 Authentication bypass in Samba


Published: 2017-07-12

Vulnerability identifier: #VU7482

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11103

CWE-ID: CWE-311

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Samba
Server applications / Directory software, identity management

Vendor: Samba

Description
The vulnerability allows a remote attacker to impersonate a trusted server and intercept users' credentials.

The vulnerability exists due to the KDC-REP service name is stored in unencrypted "ticket" instead of encrypted "enc_part" and used later by the _krb5_extract_ticket() function. An attacker in local network can perform a man-in-the-middle attack, intercept the KDC-REP service name and impersonate a trusted server.

Successful exploitation of the vulnerability may allow an attacker to obtain credentials of all Samba users from Samba DRS replication service during password replication process between trusted and fake DC.

Mitigation
Update to version 4.6.6, 4.5.12 or 4.4.15

Vulnerable software versions

Samba: 4.6.0 - 4.6.5, 4.5.0 - 4.5.11, 4.4.0 - 4.4.14, 4.3.0 - 4.3.13, 4.2.0 - 4.2.14, 4.1.0 - 4.1.23, 4.0.0 - 4.0.26

External links
http://www.samba.org/samba/security/CVE-2017-11103.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for samba and resource-agents
SUSE Linux update for samba
Ubuntu update for Heimdal
Ubuntu update for Samba
Authentication bypass in heimdal (Alpine package)
Authentication bypass in samba (Alpine package)
Debian update for heimdal
Debian update for samba
Slackware Linux update for samba
Ubuntu update for Heimdal