=========================================================== == Subject: Samba Spotlight mdssvc RPC Request Type == Confusion Denial-of-Service Vulnerability == == CVE ID#: CVE-2023-34967 == == Versions: All versions of Samba prior to 4.18.5, 4.17.10 and 4.16.11. == == Summary: Missing type validation in Samba's mdssvc == RPC service for Spotlight can be used by == an unauthenticated attacker to trigger == a process crash in a shared RPC mdssvc == worker process. =========================================================== =========== Description =========== When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3) ========== Workaround ========== As a possible workaround disable Spotlight by removing all configuration stanzas that enable Spotlight ("spotlight = yes|true"). ======= Credits ======= Originally reported by Florent Saudel and Arnaud Gatignolof the Thalium team working with Trend Micro Zero Day Initiative. Patches provided by Ralph Boehme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================