Synology-SA-17:31 Samba

Abstract

CVE-2017-11103 allows attackers who has control of the network between a client and the service to impersonate a Samba service to steal sensitive data.

Severity

• Impact: Important
• CVSS3 Base Score: 8.1
• CVSS3 Base Metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected

• Products
  • DSM 6.1
  • DSM 6.0
  • DSM 5.2
  • DSM 5.1
  • SRM 1.1
• Models
  • All Synology models

Description

Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated.

Mitigation

None

Update Availability

To fix the security issue, please update DSM 6.1 to 6.1.3-15152-1 or above, update DSM 6.0 to 6.0.3-8754-4 or above, update DSM 5.2 to 5.2-5967-4 or above and update SRM 1.1 to1.1.4-6509-03 or above.

For DSM 5.1 users, please update to DSM 5.2 (5.2-5967-4)

Reference

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9993
• https://hackerone.com/reports/242831