TODO: $VERSION, $CVE =========================================================== == Subject: Samba Spotlight mdssvc RPC Request Infinite == Loop Denial-of-Service Vulnerability == == CVE ID#: $CVE == == Versions: All versions of Samba prior to $VERSION == == Summary: An infinite loop bug in Samba's mdssvc RPC == service for Spotlight can be triggered == by an unauthenticated attacker by issuing a == malformed RPC request. =========================================================== =========== Description =========== When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This bug only affects servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes". ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========== Workaround ========== As a possible workaround disable Spotlight by removing all configuration stanzas that enable Spotlight ("spotlight = yes|true"). ======= Credits ======= Originally reported by Florent Saudel of the Thalium team working with Trend Micro Zero Day Initiative. Patches provided by Ralph Boehme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================