==================================================================== CERT-Renater Note d'Information No. 2017/VULN211 _____________________________________________________________________ DATE : 13/07/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions 4 prior to 4.6.6, 4.5.12, 4.4.15. ===================================================================== https://www.samba.org/samba/security/CVE-2017-11103.html ____________________________________________________________________ CVE-2017-11103.html: ==================================================================== == Subject: Orpheus' Lyre mutual authentication validation bypass == == CVE ID#: CVE-2017-11103 (Heimdal) == == Versions: All versions of Samba from 4.0.0 onwards using == embedded Heimdal Kerberos. == == Samba binaries built against MIT Kerberos are not == vulnerable. == == Summary: A MITM attacker may impersonate a trusted server == and thus gain elevated access to the domain by == returning malicious replication or authorization data. == ==================================================================== =========== Description =========== All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed: Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. See https://www.orpheus-lyre.info/ for more details. The impact for Samba is particularly strong for cases where the Samba DRS replication service contacts another DC requesting replication of user passwords, as these could then be controlled by the attacker. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.6.6, 4.5.12 and 4.4.15 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions linked against the embedded Heimdal Kerberos are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Samba versions built against MIT Kerberos are not impacted. Unless you are running Samba as an AD DC, then rebuild samba using: ./configure --with-system-mitkrb5. ======= Credits ======= This problem was identified in Heimdal by Jeffrey Altman, Viktor Duchovni and Nico Williams. Andrew Bartlett, Garming Sam and Bob Campbell of Catalyst and the Samba Team ported the fix to Samba and wrote this advisory. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================