Vulnetix
Try Vulnetix Request Demo
ALPINE-CVE-2017-11103 PUBLISHED CVSS 8.100000381469727 HIGH

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Risk Scores

CVSS v3.1
8.100000381469727
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.13heimdal1.5.2-r7, 1.5.2-r6, 1.5.2-r5
Alpine:v3.6heimdal1.5.2-r4, 1.3.1-r5, 1.3.3-r0
Alpine:v3.17heimdal1.2.1-r2, 7.1.0-r1, 7.1.0-r0
Alpine:v3.15heimdal0, 1.2.1-r0, 1.2.1-r1
Alpine:v3.23heimdal1.4-r11, 7.1.0-r1, 7.1.0-r0
Alpine:v3.20heimdal1.3.1-r5, 1.3.1-r4, 1.3.1-r3
Alpine:v3.6samba0, 4.2.1-r1, 3.2.11-r0
Alpine:v3.16heimdal1.5.2-r8, 1.5.3-r0, 1.5.3-r1
Alpine:v3.4samba4.1.7-r0, 0, 3.2.10-r0
Alpine:v3.9heimdal1.4-r6, 1.4-r5, 1.4-r4
Alpine:v3.4heimdal1.5.2-r6, 1.5.2-r7, 1.5.2-r8
Alpine:v3.8heimdal1.4-r0, 1.3.3-r0, 1.3.1-r5
Alpine:v3.10heimdal1.4-r7, 1.3.1-r0, 1.2.1-r4
Alpine:v3.19heimdal1.5.3-r1, 1.5.3-r0, 1.5.2-r8
Alpine:v3.21heimdal0, 0, 1.2.1-r0
Alpine:v3.5samba3.4.3-r1, 3.3.8-r0, 3.3.7-r4
Alpine:v3.7heimdal1.4-r8, 1.6_rc2-r5, 7.1.0-r0
Alpine:v3.5heimdal1.5.2-r7, 1.6_rc2-r5, 1.6_rc2-r4
Alpine:v3.22heimdal1.2.1-r2, 1.2.1-r1, 1.2.1-r0
Alpine:v3.3samba3.6.15-r0, 0, 3.2.10-r0

…and 5 more

Timeline

References

Open in Interactive Console →