[3.6] heimdal: Orpheus' Lyre KDC-REP service name validation (CVE-2017-11103)
Heimdal before 7.4 allows remote attackers to impersonate services with
Orpheus’ Lyre attacks because it obtains service-principal names
in a way that violates the Kerberos 5 protocol specification. In
_krb5_extract_ticket() the KDC-REP service name must be obtained from
the
encrypted version stored in ‘enc_part’ instead of the unencrypted
version stored in ‘ticket’. Use of the unencrypted version provides an
opportunity for successful server impersonation and other attacks. NOTE:
this CVE is only for Heimdal and other products that embed Heimdal
code; it does not apply to other instances in which this part of the
Kerberos 5 protocol specification is violated.
References:
https://nvd.nist.gov/vuln/detail/CVE-2017-11103
https://orpheus-lyre.info
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
Patch:
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
(from redmine: issue id 7539, created on 2017-07-17, closed on 2017-08-10)
- Relations:
- parent #7537 (closed)
- Changesets:
- Revision 7ecc0576 on 2017-07-18T09:11:15Z:
main/heimdal: security fix CVE-2017-11103
Fixes #7539