CVE Vulnerabilities

CVE-2017-12151

Published: Jul 27, 2018 | Modified: Oct 09, 2019
CVSS 3.x
7.4
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.8 MEDIUM
AV:N/AC:M/Au:N/C:P/I:P/A:N
RedHat/V2
RedHat/V3
7.4 MODERATE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Ubuntu
MEDIUM

A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.

Affected Software

Name Vendor Start Version End Version
Samba Samba * 4.4.16 (excluding)
Samba Samba 4.5.0 (including) 4.5.14 (excluding)
Samba Samba 4.6.0 (including) 4.6.8 (excluding)
Red Hat Enterprise Linux 7 RedHat samba-0:4.6.2-11.el7_4 *
Red Hat Gluster Storage 3.3 for RHEL 6 RedHat samba-0:4.6.3-6.el6rhs *
Red Hat Gluster Storage 3.3 for RHEL 7 RedHat samba-0:4.6.3-6.el7rhgs *
Samba Ubuntu devel *
Samba Ubuntu trusty *
Samba Ubuntu upstream *
Samba Ubuntu xenial *
Samba Ubuntu zesty *

References