CVE-2017-12151
Published: 20 September 2017
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
samba Launchpad, Ubuntu, Debian |
trusty |
Released
(2:4.3.11+dfsg-0ubuntu0.14.04.12)
|
| upstream |
Released
(4.6.8,4.5.14,4.4.16)
|
|
| xenial |
Released
(2:4.3.11+dfsg-0ubuntu0.16.04.11)
|
|
| zesty |
Released
(2:4.5.8+dfsg-0ubuntu0.17.04.7)
|
|
|
Patches: upstream: https://git.samba.org/?p=samba.git;a=commit;h=17019aa27f612f4ccc7131d40c54b26864fef444 upstream: https://git.samba.org/?p=samba.git;a=commit;h=50f649e7d0b27bcd7eaab7d8223ef9ccd99782dc upstream: https://git.samba.org/?p=samba.git;a=commit;h=282a1d122f9861b0521fa5a389ad467f8da93bd1 upstream: https://git.samba.org/?p=samba.git;a=commit;h=157f2a703bcaca9495d50cbd4d48c24b1ceed80d upstream: https://git.samba.org/?p=samba.git;a=commit;h=3157ccef61bd0698207054daf060cf2986d1d110 upstream: https://git.samba.org/?p=samba.git;a=commit;h=105cc438c6cb3dc741e861855e3fa5a94a156ff0 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.4 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |