Kerberos SNAME Security Feature Bypass in Microsoft Windows Products
CVE-2017-8495

7.5HIGH

Key Information:

Vendor
Microsoft
Status
Microsoft Windows 7 Sp1, Windows Server 2008 Sp2 And R2 Sp1, Windows 8.1 And Windows Rt 8.1, Windows Server 2012 And R2, Windows 10 Gold, 1511, 1607, And 1703, And Windows Server 2016.
Vendor
CVE Published:
11 July 2017

Summary

This vulnerability in Microsoft Windows products allows attackers to bypass Extended Protection for Authentication during Kerberos ticket exchanges. It particularly affects the handling of the SNAME field, potentially enabling unauthorized access and manipulation of authentication processes across various Windows operating systems. Mitigation should be prioritized to safeguard against exploitation.

Affected Version(s)

Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1, Windows 8.1 and Windows RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016. Microsoft Windows

References

https://www.orpheus-lyre.info/
x_refsource_MISC
https://portal.msrc.microsoft.com/en-us/security-guidance...
x_refsource_CONFIRM
http://www.securityfocus.com/bid/99424
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.