samba: Orpheus' Lyre mutual authentication validation bypass (CVE-2017-11103 (Heimdal))
All versions of Samba from 4.0.0 include an embedded copy of Heimdal
Kerberos. Heimdal has made a security release, which disclosed:
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained
from
encrypted version stored in ‘enc_part’ instead of the unencrypted
version
stored in ‘ticket’. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
The impact for Samba is particularly strong for cases where the Samba
DRS replication service contacts another DC requesting replication
of user passwords, as these could then be controlled by the attacker.
References
https://www.samba.org/samba/security/
https://www.samba.org/samba/security/CVE-2017-11103.html
https://www.orpheus-lyre.info
(from redmine: issue id 7606, created on 2017-07-26)