VDB-107075 · CVE-2017-12151 · BID 100917

Samba up to 4.4.15/4.5.12/4.6.7 DFS cryptographic issues

A vulnerability, which was classified as critical, has been found in Samba up to 4.4.15/4.5.12/4.6.7 (File Transfer Software). This issue affects an unknown part of the component DFS. Upgrading to version 4.4.16, 4.5.14 or 4.6.8 eliminates this vulnerability. A possible mitigation has been published 3 weeks after the disclosure of the vulnerability.

Field	11/19/2019 10:27 AM	01/14/2021 11:25 AM	01/14/2021 11:30 AM
type	File Transfer Software	File Transfer Software	File Transfer Software
name	Samba	Samba	Samba
version	<=4.4.15/4.5.12/4.6.7	<=4.4.15/4.5.12/4.6.7	<=4.4.15/4.5.12/4.6.7
component	DFS	DFS	DFS
cwe	310 (weak encryption)	310 (weak encryption)	310 (weak encryption)
risk	2	2	2
historic	0	0	0
cvss2_vuldb_basescore	6.8	6.8	6.8
cvss2_vuldb_tempscore	5.9	5.9	5.9
cvss2_vuldb_av	N	N	N
cvss2_vuldb_ac	M	M	M
cvss2_vuldb_au	N	N	N
cvss2_vuldb_ci	P	P	P
cvss2_vuldb_ii	P	P	P
cvss2_vuldb_ai	P	P	P
cvss2_nvd_av	N	N	N
cvss2_nvd_ac	M	M	M
cvss2_nvd_au	N	N	N
cvss2_nvd_ci	P	P	P
cvss2_nvd_ii	P	P	P
cvss2_nvd_ai	N	N	N
cvss3_meta_basescore	6.5	6.5	6.5
cvss3_meta_tempscore	6.2	6.2	6.2
cvss3_vuldb_basescore	5.6	5.6	5.6
cvss3_vuldb_tempscore	5.4	5.4	5.4
cvss3_vuldb_av	N	N	N
cvss3_vuldb_ac	H	H	H
cvss3_vuldb_pr	N	N	N
cvss3_vuldb_ui	N	N	N
cvss3_vuldb_s	U	U	U
cvss3_vuldb_c	L	L	L
cvss3_vuldb_i	L	L	L
cvss3_vuldb_a	L	L	L
cvss3_nvd_av	N	N	N
cvss3_nvd_ac	H	H	H
cvss3_nvd_pr	N	N	N
cvss3_nvd_ui	N	N	N
cvss3_nvd_s	U	U	U
cvss3_nvd_c	H	H	H
cvss3_nvd_i	H	H	H
cvss3_nvd_a	N	N	N
date	1505952000 (09/21/2017)	1505952000 (09/21/2017)	1505952000 (09/21/2017)
location	Website	Website	Website
type	Advisory	Advisory	Advisory
url	https://www.samba.org/samba/security/CVE-2017-12150.html	https://www.samba.org/samba/security/CVE-2017-12150.html	https://www.samba.org/samba/security/CVE-2017-12150.html
disputed	0	0	0
price_0day	$0-$5k	$0-$5k	$0-$5k
name	Upgrade	Upgrade	Upgrade
upgrade_version	4.4.16/4.5.14/4.6.8	4.4.16/4.5.14/4.6.8	4.4.16/4.5.14/4.6.8
cve	CVE-2017-12151	CVE-2017-12151	CVE-2017-12151
cve_nvd_published	1532642400	1532642400	1532642400
oval_id	oval:org.cisecurity:def:3313	oval:org.cisecurity:def:3313	oval:org.cisecurity:def:3313
securityfocus	100917	100917	100917
securityfocus_title	Samba CVE-2017-12151 Man in the Middle Security Bypass Vulnerability	Samba CVE-2017-12151 Man in the Middle Security Bypass Vulnerability	Samba CVE-2017-12151 Man in the Middle Security Bypass Vulnerability
sectracker	1039401	1039401	1039401
sectracker_date	1505952000 (09/21/2017)	1505952000 (09/21/2017)	1505952000 (09/21/2017)
sectracker_cause	Access control error	Access control error	Access control error
nessus_id	103801	103801	103801
nessus_name	openSUSE Security Update : samba (openSUSE-2017-1147)	openSUSE Security Update : samba (openSUSE-2017-1147)	openSUSE Security Update : samba (openSUSE-2017-1147)
nessus_filename	openSUSE-2017-1147.nasl	openSUSE-2017-1147.nasl	openSUSE-2017-1147.nasl
nessus_risk	Medium	Medium	Medium
nessus_family	SuSE Local Security Checks	SuSE Local Security Checks	SuSE Local Security Checks
nessus_type	local	local	local
nessus_date	1507766400 (10/12/2017)	1507766400 (10/12/2017)	1507766400 (10/12/2017)
openvas_id	53754	53754	53754
openvas_filename	deb_3983.nasl	deb_3983.nasl	deb_3983.nasl
openvas_title	Debian Security Advisory DSA 3983-1 (samba - security update)	Debian Security Advisory DSA 3983-1 (samba - security update)	Debian Security Advisory DSA 3983-1 (samba - security update)
openvas_family	Debian Local Security Checks	Debian Local Security Checks	Debian Local Security Checks
qualys_id	236503	236503	236503
qualys_title	Red Hat Update for samba (RHSA-2017:2790)	Red Hat Update for samba (RHSA-2017:2790)	Red Hat Update for samba (RHSA-2017:2790)
seealso	107074 107076	107074 107076	107074 107076
cvss2_vuldb_e	ND	ND	ND
cvss2_vuldb_rl	OF	OF	OF
cvss2_vuldb_rc	C	C	C
cvss3_vuldb_e	X	X	X
cvss3_vuldb_rl	O	O	O
cvss3_vuldb_rc	C	C	C
reaction_days	20	20	20
exposure_days	20	20	20
cvss3_nvd_basescore	7.4	7.4	7.4
discoverydate	1505952000	1505952000	1505952000
person_name	Stefan Metzmacher	Stefan Metzmacher	Stefan Metzmacher
confirm_url	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151
date	1507680000 (10/11/2017)	1507680000 (10/11/2017)	1507680000 (10/11/2017)
cve_assigned	1501545600	1501545600	1501545600
securityfocus_date	1505865600 (09/20/2017)	1505865600 (09/20/2017)	1505865600 (09/20/2017)
securityfocus_class	Design Error	Design Error	Design Error
cve_nvd_summary		A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.	A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
cvss2_nvd_basescore		5.8	5.8
cve_cna			Red Hat, Inc.

◂ Previous Overview Next ▸

Do you know our Splunk app?

Download it now for free!