Your submission was sent successfully! Close

CVE-2018-16860

Published: 14 May 2019

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian
bionic
Released (7.5.0+dfsg-1ubuntu0.1)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(7.5.0+dfsg-3build1)
focal Not vulnerable
(7.5.0+dfsg-3build1)
groovy Not vulnerable
(7.5.0+dfsg-3build1)
hirsute Not vulnerable
(7.5.0+dfsg-3build1)
impish Not vulnerable
(7.5.0+dfsg-3build1)
jammy Not vulnerable
(7.5.0+dfsg-3build1)
kinetic Not vulnerable
(7.5.0+dfsg-3build1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (1.6~git20131207+dfsg-1ubuntu1.2+esm1)
upstream
Released (7.6, 7.5.0+dfsg-3, 7.1.0+dfsg-13+deb9u3)
xenial
Released (1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1)
Patches:
upstream: https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
samba
Launchpad, Ubuntu, Debian
bionic
Released (2:4.7.6+dfsg~ubuntu-0ubuntu2.10)
cosmic
Released (2:4.8.4+dfsg-2ubuntu2.4)
disco
Released (2:4.10.0+dfsg-0ubuntu2.1)
focal
Released (2:4.10.0+dfsg-0ubuntu2.1)
jammy
Released (2:4.10.0+dfsg-0ubuntu2.1)
kinetic
Released (2:4.10.0+dfsg-0ubuntu2.1)
precise
Released (2:3.6.25-0ubuntu0.12.04.18)
trusty
Released (2:4.3.11+dfsg-0ubuntu0.14.04.20+esm1)
upstream Needs triage

xenial
Released (2:4.3.11+dfsg-0ubuntu0.16.04.20)