CVE-2017-12151

high

Description

A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.

References

https://www.samba.org/samba/security/CVE-2017-12151.html

https://www.debian.org/security/2017/dsa-3983

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03817en_us

https://security.netapp.com/advisory/ntap-20170921-0001/

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151

https://access.redhat.com/errata/RHSA-2017:2858

https://access.redhat.com/errata/RHSA-2017:2790

http://www.securitytracker.com/id/1039401

http://www.securityfocus.com/bid/100917

Details

Source: Mitre, NVD

Published: 2018-07-27

Updated: 2019-10-09

Risk Information

CVSS v2

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: High