CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.2%
A user in a Samba AD domain can crash the KDC when Samba is built in
the non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
Patches addressing parts of this issue have been posted to:
https://bugzilla.samba.org/show_bug.cgi?id=13571
Additionally, Samba 4.7.12, 4.8.7 and 4.9.3 have been issued as
security releases to prevent building of the AD DC with MIT Kerberos
unless --with-experimental-mit-ad-dc is specified to the configure
command. Samba administrators are advised to recompile Samba with the
default internal Heimdal Kerberos build as soon as possible by
removing --with-system-mitkrb5 from the configure command and
rebuilding Samba.
The default Heimdal build of Samba is not vulnerable.
Originally reported by Isaac Boukris.
Patches to disable the build provided by Andrew Bartlett of Catalyst
and the Samba team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
92.2%