== Subject:     Samba Spotlight mdssvc RPC Request Type
==              Confusion Denial-of-Service Vulnerability
== CVE ID#:     CVE-2023-34967
== Versions:    All versions of Samba prior to 4.18.5,
                4.17.10 and 4.16.11.
== Summary:     Missing type validation in Samba's mdssvc
==              RPC service for Spotlight can be used by
==              an unauthenticated attacker to trigger
==              a process crash in a shared RPC mdssvc
==              worker process.


When parsing Spotlight mdssvc RPC packets, one encoded data
structure is a key-value style dictionary where the keys
are character strings and the values can be any of the
supported types in the mdssvc protocol. Due to a lack of
type checking in callers of the function
dalloc_value_for_key(), which returns the object associated
with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer.

As RPC worker processes are shared among multiple client
connections, a malicious client can crash the worker process
affecting all other clients that are also served by this worker.

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
as security releases to correct the defect.  Samba administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.

CVSSv3 calculation

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3)


As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight ("spotlight =


Originally reported by Florent Saudel and Arnaud Gatignolof
the Thalium team working with Trend Micro Zero Day

Patches provided by Ralph Boehme of SerNet and the Samba

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team