CVE-2017-12151 — Channel Accessible by Non-Endpoint in Samba
Severity
7.4HIGHNVD
EPSS
4.1%
top 11.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 27
Latest updateMay 13
Description
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 2.2 | Impact: 5.2
Affected Packages8 packages
Also affects: Debian Linux 8.0, 9.0, Enterprise Linux 7.0, 7.4, 7.5
🔴Vulnerability Details
4📋Vendor Advisories
4💬Community
3Bugzilla▶
CVE-2017-15086 samba: SMB2 connections don't keep encryption across DFS redirects (incomplete fix of CVE-2017-12151)↗2017-10-24
Bugzilla
▶
Bugzilla
▶