Vulnerabilities > CVE-2017-11103 - Insufficient Verification of Data Authenticity vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Vulnerable Configurations

Part Description Count
Application
Heimdal_Project
122
Application
Samba
130
OS
Freebsd
1
OS
Apple
294
OS
Debian
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • JSON Hijacking (aka JavaScript Hijacking)
    An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
  • Cache Poisoning
    An attacker exploits the functionality of cache technologies to cause specific data to be cached that aids the attackers' objectives. This describes any attack whereby an attacker places incorrect or harmful material in cache. The targeted cache can be an application's cache (e.g. a web browser cache) or a public cache (e.g. a DNS or ARP cache). Until the cache is refreshed, most applications or clients will treat the corrupted cache value as valid. This can lead to a wide range of exploits including redirecting web browsers towards sites that install malware and repeatedly incorrect calculations based on the incorrect value.
  • DNS Cache Poisoning
    A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An attacker modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the attacker specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Attackers can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.
  • Cross-Site Scripting Using MIME Type Mismatch
    An attacker creates a file with scripting content but where the specified MIME type of the file is such that scripting is not expected. Some browsers will detect that the specified MIME type of the file does not match the actual type of the content and will automatically switch to using an interpreter for the real content type. If the browser does not invoke script filters before doing this, the attackers' script may run on the target unsanitized. For example, the MIME type text/plain may be used where the actual content is text/javascript or text/html. Since text does not contain scripting instructions, the stated MIME type would indicate that filtering is unnecessary. However, if the target application subsequently determines the file's real type and invokes the appropriate interpreter, scripted content could be invoked. In another example, img tags in HTML content could reference a renderable type file instead of an expected image file. The file extension and MIME type can describe an image file, but the file content can be text/javascript or text/html resulting in script execution. If the browser assumes all references in img tags are images, and therefore do not need to be filtered for scripts, this would bypass content filters. In a cross-site scripting attack, the attacker tricks the victim into accessing a URL that uploads a script file with an incorrectly specified MIME type. If the victim's browser switches to the appropriate interpreter without filtering, the attack will execute as a standard XSS attack, possibly revealing the victim's cookies or executing arbitrary script in their browser.
  • Spoofing of UDDI/ebXML Messages
    An attacker spoofs a UDDI, ebXML, or similar message in order to impersonate a service provider in an e-business transaction. UDDI, ebXML, and similar standards are used to identify businesses in e-business transactions. Among other things, they identify a particular participant, WSDL information for SOAP transactions, and supported communication protocols, including security protocols. By spoofing one of these messages an attacker could impersonate a legitimate business in a transaction or could manipulate the protocols used between a client and business. This could result in disclosure of sensitive information, loss of message integrity, or even financial fraud.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-937.NASL
    descriptionThis update for libheimdal fixes the following issues : - Fix CVE-2017-11103: Orpheus
    last seen2020-06-05
    modified2017-08-18
    plugin id102556
    published2017-08-18
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102556
    titleopenSUSE Security Update : libheimdal (openSUSE-2017-937) (Orpheus
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2017-195-02.NASL
    descriptionNew samba packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id101550
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101550
    titleSlackware 14.0 / 14.1 / 14.2 / current : samba (SSA:2017-195-02) (Orpheus
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2017-004.NASL
    descriptionThe remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities affecting the following components : - 802.1X - apache - AppleScript - ATS - Audio - CFString - CoreText - curl - Dictionary Widget - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - ImageIO - Kernel - libarchive - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - Sandbox - StreamingZip - tcpdump - Wi-Fi
    last seen2020-06-01
    modified2020-06-02
    plugin id104379
    published2017-11-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104379
    titlemacOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-001 and 2017-004)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3353-2.NASL
    descriptionUSN-3353-1 fixed a vulnerability in Heimdal. This update provides the corresponding update for Samba. Jeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Samba clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network servers or perform other attacks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101770
    published2017-07-17
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101770
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : samba vulnerability (USN-3353-2) (Orpheus
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-2AFE501B36.NASL
    descriptionUpdate to 7.4.0 GA release (CVE-2017-11103) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-24
    plugin id101915
    published2017-07-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101915
    titleFedora 26 : heimdal (2017-2afe501b36) (Orpheus
  • NASL familyMacOS X Local Security Checks
    NASL idMACOS_10_13.NASL
    descriptionThe remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - AppSandbox - AppleScript - Application Firewall - ATS - Audio - CFNetwork - CFNetwork Proxies - CFString - Captive Network Assistant - CoreAudio - CoreText - DesktopServices - Directory Utility - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - IOFireWireFamily - ImageIO - Installer - Kernel - kext tools - libarchive - libc - libexpat - Mail - Mail Drafts - ntp - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - SQLite - Sandbox - Screen Lock - Security - Spotlight - WebKit - zlib Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id103598
    published2017-10-03
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103598
    titlemacOS < 10.13 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2237-1.NASL
    descriptionThis update provides Samba 4.6.7, which fixes the following issues : - CVE-2017-11103: Metadata were being taken from the unauthenticated plaintext (the Ticket) rather than the authenticated and encrypted KDC response. (bsc#1048278) - Fix cephwrap_chdir(). (bsc#1048790) - Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb. (bsc#1048339) - Fix inconsistent ctdb socket path. (bsc#1048352) - Fix non-admin cephx authentication. (bsc#1048387) - CTDB cannot start when there is no persistent database. (bsc#1052577) The CTDB resource agent was also fixed to not fail when the database is empty. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102696
    published2017-08-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102696
    titleSUSE SLED12 / SLES12 Security Update : samba / resource-agents (SUSE-SU-2017:2237-1) (Orpheus
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3909.NASL
    descriptionJeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in samba, the SMB/CIFS file, print, and login server. Also known as Orpheus
    last seen2020-06-01
    modified2020-06-02
    plugin id101554
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101554
    titleDebian DSA-3909-1 : samba - security update (Orpheus
  • NASL familyMisc.
    NASL idSAMBA_4_6_6.NASL
    descriptionThe version of Samba running on the remote host is 4.4.x prior to 4.4.15, 4.5.x prior to 4.5.12, or 4.6.x prior to 4.6.6. It is, therefore, affected by a logic flaw in the Heimdal implementation of Kerberos, specifically within the _krb5_extract_ticket() function within lib/krb5/ticket.c, due to the unsafe use of cleartext metadata from an unauthenticated ticket instead of the encrypted version stored in the Key Distribution Center (KDC) response. A man-in-the-middle attacker can exploit this issue to impersonate Kerberos services. This can potentially result in a privilege escalation or the theft of credentials. Note that Samba versions built against MIT Kerberos are not impacted by this issue. Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id101773
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101773
    titleSamba 4.4.x < 4.4.15 / 4.5.x < 4.5.12 / 4.6.x < 4.6.6 KDC-REP Service Name Validation (Orpheus
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1027.NASL
    descriptionJeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in Heimdal Kerberos. Also known as Orpheus
    last seen2020-03-17
    modified2017-07-17
    plugin id101553
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/101553
    titleDebian DLA-1027-1 : heimdal security update (Orpheus
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-987.NASL
    descriptionThis update provides Samba 4.6.7, which fixes the following issues : - CVE-2017-11103: Metadata were being taken from the unauthenticated plaintext (the Ticket) rather than the authenticated and encrypted KDC response. (bsc#1048278) - Fix cephwrap_chdir(). (bsc#1048790) - Fix ctdb logs to /var/log/log.ctdb instead of /var/log/ctdb. (bsc#1048339) - Fix inconsistent ctdb socket path. (bsc#1048352) - Fix non-admin cephx authentication. (bsc#1048387) - CTDB cannot start when there is no persistent database. (bsc#1052577) The CTDB resource agent was also fixed to not fail when the database is empty. This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2017-08-31
    plugin id102849
    published2017-08-31
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102849
    titleopenSUSE Security Update : samba and resource-agents (openSUSE-2017-987) (Orpheus
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_85851E4F67D911E7BC3700505689D4AE.NASL
    descriptionThe samba project reports : A MITM attacker may impersonate a trusted server and thus gain elevated access to the domain by returning malicious replication or authorization data.
    last seen2020-06-01
    modified2020-06-02
    plugin id101541
    published2017-07-14
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101541
    titleFreeBSD : samba -- Orpheus Lyre mutual authentication validation bypass (85851e4f-67d9-11e7-bc37-00505689d4ae) (Orpheus
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3353-1.NASL
    descriptionJeffrey Altman, Viktor Dukhovni, and Nicolas Williams discovered that Heimdal clients incorrectly trusted unauthenticated portions of Kerberos tickets. A remote attacker could use this to impersonate trusted network services or perform other attacks. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id101769
    published2017-07-17
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101769
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : heimdal vulnerability (USN-3353-1) (Orpheus
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3912.NASL
    descriptionJeffrey Altman, Viktor Dukhovni, and Nicolas Williams reported that Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos, trusts metadata taken from the unauthenticated plaintext (Ticket), rather than the authenticated and encrypted KDC response. A man-in-the-middle attacker can use this flaw to impersonate services to the client. See https://orpheus-lyre.info/ for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id101557
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101557
    titleDebian DSA-3912-1 : heimdal - security update (Orpheus
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-5D6A9E0C9C.NASL
    descriptionUpdate to 7.4.0 GA release (CVE-2017-11103) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-24
    plugin id101917
    published2017-07-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101917
    titleFedora 25 : heimdal (2017-5d6a9e0c9c) (Orpheus