CVE-2017-11103

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Heimdal en versiones anteriores a la 7.4 permite que atacantes remotos suplanten servicios con ataques Orpheus' Lyre ya que obtiene nombres de servicios principales, de manera que viola la especificación del protocolo Kerberos 5. En _krb5_extract_ticket() el nombre del servicio KDC-REP se debe obtener de la versión cifrada almacenada en 'enc_part' en lugar de la versión sin cifrar almacenada en 'ticket'. El uso de versiones sin cifrar supone una oportunidad para que se lleve a cabo una suplantación del servidor exitosa además de otros ataques. NOTA: este CVE solo es aplicable a Heimdal y otros productos que embeben código Heimdal.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-07-07 CVE Reserved
2017-07-13 CVE Published
2023-10-17 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (12)

URL	Tag	Source
http://www.h5l.org/advisories.html?show=2017-07-11	Broken Link
http://www.securityfocus.com/bid/99551	Third Party Advisory
http://www.securitytracker.com/id/1038876	Third Party Advisory
http://www.securitytracker.com/id/1039427	Third Party Advisory
https://github.com/heimdal/heimdal/releases/tag/heimdal-7.4.0	Release Notes
https://support.apple.com/HT208112	Third Party Advisory
https://support.apple.com/HT208144	Third Party Advisory
https://support.apple.com/HT208221	Third Party Advisory
https://www.orpheus-lyre.info	Third Party Advisory
https://www.samba.org/samba/security/CVE-2017-11103.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://www.debian.org/security/2017/dsa-3912	2020-08-18
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc	2020-08-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Heimdal Project Search vendor "Heimdal Project"		Heimdal Search vendor "Heimdal Project" for product "Heimdal"				< 7.4.0 Search vendor "Heimdal Project" for product "Heimdal" and version " < 7.4.0"		-		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				-		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.0.0 < 4.4.15 Search vendor "Samba" for product "Samba" and version " >= 4.0.0 < 4.4.15"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.5.0 < 4.5.12 Search vendor "Samba" for product "Samba" and version " >= 4.5.0 < 4.5.12"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.6.0 < 4.6.6 Search vendor "Samba" for product "Samba" and version " >= 4.6.0 < 4.6.6"		-		Affected
Apple Search vendor "Apple"		Iphone Os Search vendor "Apple" for product "Iphone Os"				< 11.0 Search vendor "Apple" for product "Iphone Os" and version " < 11.0"		-		Affected
Apple Search vendor "Apple"		Mac Os X Search vendor "Apple" for product "Mac Os X"				< 10.13.1 Search vendor "Apple" for product "Mac Os X" and version " < 10.13.1"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected