=========================================================== == Subject: Samba Spotlight mdssvc RPC Request Infinite == Loop Denial-of-Service Vulnerability == == CVE ID#: CVE-2023-34966 == == Versions: All versions of Samba prior to 4.18.5, 4.17.10 and 4.16.11. == == Summary: An infinite loop bug in Samba's mdssvc RPC == service for Spotlight can be triggered == by an unauthenticated attacker by issuing a == malformed RPC request. =========================================================== =========== Description =========== When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This bug only affects servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes". ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========== Workaround ========== As a possible workaround disable Spotlight by removing all configuration stanzas that enable Spotlight ("spotlight = yes|true"). ======= Credits ======= Originally reported by Florent Saudel of the Thalium team working with Trend Micro Zero Day Initiative. Patches provided by Ralph Boehme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================