CVE-2017-11103

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

References

http://www.debian.org/security/2017/dsa-3912

http://www.h5l.org/advisories.html?show=2017-07-11

http://www.securityfocus.com/bid/99551

http://www.securitytracker.com/id/1038876

http://www.securitytracker.com/id/1039427

https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0

https://support.apple.com/HT208112

https://support.apple.com/HT208144

https://support.apple.com/HT208221

https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc

https://www.orpheus-lyre.info/

https://www.samba.org/samba/security/CVE-2017-11103.html

Details

Source: MITRE

Published: 2017-07-13

Updated: 2020-08-18

Type: CWE-345

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
146748EulerOS 2.0 SP2 : samba (EulerOS-SA-2021-1357)NessusHuawei Local Security Checks
high
140877EulerOS 2.0 SP3 : samba (EulerOS-SA-2020-2110)NessusHuawei Local Security Checks
high
700542Apple iOS < 11.0.1 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
700511macOS < 10.13 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
104379macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)NessusMacOS X Local Security Checks
critical
103598macOS < 10.13 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
103420Apple iOS < 11 Multiple VulnerabilitiesNessusMobile Devices
critical
102849openSUSE Security Update : samba and resource-agents (openSUSE-2017-987) (Orpheus' Lyre)NessusSuSE Local Security Checks
high
102696SUSE SLED12 / SLES12 Security Update : samba / resource-agents (SUSE-SU-2017:2237-1) (Orpheus' Lyre)NessusSuSE Local Security Checks
high
102556openSUSE Security Update : libheimdal (openSUSE-2017-937) (Orpheus' Lyre)NessusSuSE Local Security Checks
high
101917Fedora 25 : heimdal (2017-5d6a9e0c9c) (Orpheus' Lyre)NessusFedora Local Security Checks
high
101915Fedora 26 : heimdal (2017-2afe501b36) (Orpheus' Lyre)NessusFedora Local Security Checks
high
101773Samba 4.4.x < 4.4.15 / 4.5.x < 4.5.12 / 4.6.x < 4.6.6 KDC-REP Service Name Validation (Orpheus' Lyre)NessusMisc.
high
101770Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : samba vulnerability (USN-3353-2) (Orpheus' Lyre)NessusUbuntu Local Security Checks
high
101769Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : heimdal vulnerability (USN-3353-1) (Orpheus' Lyre)NessusUbuntu Local Security Checks
high
101557Debian DSA-3912-1 : heimdal - security update (Orpheus' Lyre)NessusDebian Local Security Checks
high
101554Debian DSA-3909-1 : samba - security update (Orpheus' Lyre)NessusDebian Local Security Checks
high
101553Debian DLA-1027-1 : heimdal security update (Orpheus' Lyre)NessusDebian Local Security Checks
high
101550Slackware 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-195-02) (Orpheus' Lyre)NessusSlackware Local Security Checks
high
101541FreeBSD : samba -- Orpheus Lyre mutual authentication validation bypass (85851e4f-67d9-11e7-bc37-00505689d4ae) (Orpheus' Lyre)NessusFreeBSD Local Security Checks
high