CVE-2017-11103

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Published: Jul 13, 2017
Updated: Apr 13, 2023
CVE: CVE-2017-11103
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.8
AV:N/AC:M/Au:N/C:P/I:P/A:P

CWEs:

CWE-345

Affected Software
References

Software	From	Fixed in
heimdal_project / heimdal	-	7.4.0
samba / samba	4.0.0	4.4.15
samba / samba	4.5.0	4.5.12
samba / samba	4.6.0	4.6.6
apple / mac_os_x	-	10.13.1
apple / iphone_os	-	11.0
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x

Vulnerability Database

289,697

CVE-2017-11103