#VU7482 Authentication bypass in Samba - CVE-2017-11103
Published: July 12, 2017
Vulnerability identifier: #VU7482
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-11103
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
Samba
Samba
Software vendor:
Samba
Samba
Description
The vulnerability allows a remote attacker to impersonate a trusted server and intercept users' credentials.
The vulnerability exists due to the KDC-REP service name is stored in unencrypted "ticket" instead of encrypted "enc_part" and used later by the _krb5_extract_ticket() function. An attacker in local network can perform a man-in-the-middle attack, intercept the KDC-REP service name and impersonate a trusted server.
Successful exploitation of the vulnerability may allow an attacker to obtain credentials of all Samba users from Samba DRS replication service during password replication process between trusted and fake DC.
The vulnerability exists due to the KDC-REP service name is stored in unencrypted "ticket" instead of encrypted "enc_part" and used later by the _krb5_extract_ticket() function. An attacker in local network can perform a man-in-the-middle attack, intercept the KDC-REP service name and impersonate a trusted server.
Successful exploitation of the vulnerability may allow an attacker to obtain credentials of all Samba users from Samba DRS replication service during password replication process between trusted and fake DC.
Remediation
Update to version 4.6.6, 4.5.12 or 4.4.15