Lucene search

K
cveRedhatCVE-2018-16860
HistoryJul 31, 2019 - 3:15 p.m.

CVE-2018-16860

2019-07-3115:15:11
CWE-358
redhat
web.nvd.nist.gov
388
cve-2018-16860
samba
heimdal kdc
ad dc mode
security flaw
man-in-the-middle attack

CVSS2

6

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.003

Percentile

70.9%

A flaw was found in samba’s Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Affected configurations

Nvd
Vulners
Node
sambasambaRange4.8.04.8.12
OR
sambasambaRange4.9.04.9.8
OR
sambasambaRange4.10.04.10.3
Node
heimdal_projectheimdalRange0.87.5.0
VendorProductVersionCPE
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
sambasamba*cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "samba",
    "vendor": "SAMBA",
    "versions": [
      {
        "status": "affected",
        "version": "4.8.x up to, excluding 4.8.12"
      },
      {
        "status": "affected",
        "version": "4.9.x up to, excluding 4.9.8"
      },
      {
        "status": "affected",
        "version": "4.10.x up to, excluding 4.10.3"
      }
    ]
  }
]

CVSS2

6

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.003

Percentile

70.9%