PT-2017-4076 · Heimdal+5 · Heimdal+5
Jeffrey Altman
+2
·
Published
2017-07-12
·
Updated
2024-06-15
·
CVE-2017-11103
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Heimdal versions prior to 7.4
Description
The issue is related to the
krb5 extract ticket() function, which obtains service-principal names in a way that violates the Kerberos 5 protocol specification. This allows remote attackers to impersonate services with Orpheus' Lyre attacks. The problem arises because the function uses the unencrypted version of the service name stored in ticket instead of the encrypted version stored in enc part. This provides an opportunity for successful server impersonation and other attacks.Recommendations
For Heimdal versions prior to 7.4, update to version 7.4 or later to resolve the issue. As a temporary workaround, consider modifying the
krb5 extract ticket() function to obtain the KDC-REP service name from the encrypted version stored in enc part instead of the unencrypted version stored in ticket. Restrict access to sensitive data and services until the update is applied to minimize the risk of exploitation.Exploit
Fix
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Freebsd
Heimdal
Samba
Suse
Ubuntu