CVE-2023-34966.html:
===========================================================
== Subject: Samba Spotlight mdssvc RPC Request Infinite
== Loop Denial-of-Service Vulnerability
==
== CVE ID#: CVE-2023-34966
==
== Versions: All versions of Samba prior to 4.18.5,
4.17.10 and 4.16.11.
==
== Summary: An infinite loop bug in Samba's mdssvc RPC
== service for Spotlight can be triggered
== by an unauthenticated attacker by issuing a
== malformed RPC request.
===========================================================
===========
Description
===========
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
"spotlight = yes".
==================
Patch Availability
==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been
issued as security releases to correct the defect. Samba
administrators are advised to upgrade to these releases or
apply the patch as soon as possible.
==================
CVSSv3 calculation
==================
CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
==========
Workaround
==========
As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight ("spotlight =
yes|true").
=======
Credits
=======
Originally reported by Florent Saudel of the Thalium team
working with Trend Micro Zero Day Initiative.
Patches provided by Ralph Boehme of SerNet and the Samba
team.
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================