CVE-2017-12151

MEDIUM

Description

A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.

References

http://www.securityfocus.com/bid/100917

http://www.securitytracker.com/id/1039401

https://access.redhat.com/errata/RHSA-2017:2790

https://access.redhat.com/errata/RHSA-2017:2858

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151

https://security.netapp.com/advisory/ntap-20170921-0001/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03817en_us

https://www.debian.org/security/2017/dsa-3983

https://www.samba.org/samba/security/CVE-2017-12151.html

Details

Source: MITRE

Published: 2018-07-27

Updated: 2018-10-02

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Impact Score: 5.2

Exploitability Score: 2.2

Severity: HIGH