CVE-2017-12151 Information

Description

A flaw was found in the way samba client before samba 4.4.16 samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

http://www.securityfocus.com/bid/100917 http://www.securitytracker.com/id/1039401 https://access.redhat.com/errata/RHSA-2017:2790 https://access.redhat.com/errata/RHSA-2017:2858 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-12151 https://security.netapp.com/advisory/ntap-20170921-0001/ https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03817en_us https://www.debian.org/security/2017/dsa-3983 https://www.samba.org/samba/security/CVE-2017-12151.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.4