The Samba-Bugzilla – Attachment 17910 Details for
Bug 15340
[SECURITY] CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v1
CVE-bug15340-security_advisory.txt (text/plain), 2.00 KB, created by
Ralph Böhme
on 2023-06-07 17:19:22 UTC
(
hide
)
Description:
Advisory v1
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-06-07 17:19:22 UTC
Size:
2.00 KB
patch
obsolete
> >TODO: $VERSION, $CVE > >=========================================================== >== Subject: Samba Spotlight mdssvc RPC Request Infinite >== Loop Denial-of-Service Vulnerability >== >== CVE ID#: $CVE >== >== Versions: All versions of Samba prior to $VERSION >== >== Summary: An infinite loop bug in Samba's mdssvc RPC >== service for Spotlight can be triggered >== by an unauthenticated attacker by issuing a >== malformed RPC request. >=========================================================== > >=========== >Description >=========== > >When parsing Spotlight mdssvc RPC packets sent by the >client, the core unmarshalling function sl_unpack_loop() >did not validate a field in the network packet that >contains the count of elements in an array-like >structure. By passing 0 as the count value, the attacked >function will run in an endless loop consuming 100% CPU. > >This bug only affects servers where Spotlight is >explicitly enabled globally or on individual shares with >"spotlight = yes". > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued as security >releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as >soon as possible. > >================== >CVSSv3 calculation >================== > >CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) > >========== >Workaround >========== > >As a possible workaround disable Spotlight by removing all >configuration stanzas that enable Spotlight ("spotlight = >yes|true"). > >======= >Credits >======= > >Originally reported by Florent Saudel of the Thalium team >working with Trend Micro Zero Day Initiative. > >Patches provided by Ralph Boehme of SerNet and the Samba >team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17910">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review?
(
metze
)
jra
:
review+
Actions:
View
Attachments on
bug 15340
:
17902
| 17910 |
17919
|
17941
|
17942
|
17950