CVE Vulnerabilities

CVE-2017-12150

Channel Accessible by Non-Endpoint

Published: Jul 26, 2018 | Modified: Nov 21, 2024
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
7.4 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM

It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce SMB signing when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.

Weakness

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

Affected Software

Name Vendor Start Version End Version
Samba Samba 3.0.25 (including) 4.4.16 (excluding)
Samba Samba 4.5.0 (including) 4.5.14 (excluding)
Samba Samba 4.6.0 (including) 4.6.8 (excluding)
Red Hat Enterprise Linux 6 RedHat samba-0:3.6.23-45.el6_9 *
Red Hat Enterprise Linux 6 RedHat samba4-0:4.2.10-11.el6_9 *
Red Hat Enterprise Linux 7 RedHat samba-0:4.6.2-11.el7_4 *
Red Hat Gluster Storage 3.3 for RHEL 6 RedHat samba-0:4.6.3-6.el6rhs *
Red Hat Gluster Storage 3.3 for RHEL 7 RedHat samba-0:4.6.3-6.el7rhgs *
Samba Ubuntu artful *
Samba Ubuntu devel *
Samba Ubuntu trusty *
Samba Ubuntu upstream *
Samba Ubuntu xenial *
Samba Ubuntu zesty *

Potential Mitigations

References