Bugzilla – Bug 1213172
VUL-0: CVE-2023-34967: samba: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
Last modified: 2024-05-30 14:36:16 UTC
=========================================================== == Subject: Samba Spotlight mdssvc RPC Request Type == Confusion Denial-of-Service Vulnerability == == CVE ID#: CVE-2023-34967 == == Versions: All versions of Samba prior to 4.18.5, 4.17.10 and 4.16.11. == == Summary: Missing type validation in Samba's mdssvc == RPC service for Spotlight can be used by == an unauthenticated attacker to trigger == a process crash in a shared RPC mdssvc == worker process. =========================================================== =========== Description =========== When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3) ========== Workaround ========== As a possible workaround disable Spotlight by removing all configuration stanzas that enable Spotlight ("spotlight = yes|true"). ======= Credits ======= Originally reported by Florent Saudel and Arnaud Gatignolof the Thalium team working with Trend Micro Zero Day Initiative. Patches provided by Ralph Boehme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== https://www.samba.org/samba/security/CVE-2023-34967.html
SUSE-SU-2023:2888-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1213171, 1213172, 1213173, 1213174, 1213384 CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968 Sources used: SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1 SUSE Linux Enterprise High Availability Extension 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1 SUSE Linux Enterprise Server 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3060-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1213171, 1213172, 1213173, 1213174, 1213384 CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968 Sources used: SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise Real Time 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 SUSE Manager Server 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:3066-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1213171, 1213172, 1213173, 1213174, 1213384 CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968 Sources used: SUSE Enterprise Storage 7 (src): samba-4.13.13+git.643.8caa136952b-150200.3.26.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Reassigned to security team to close it.
All code streams submitted, reassign to security team to close it.
SUSE-SU-2023:2929-1: An update that solves six vulnerabilities and has two security fixes can now be installed. Category: security (important) Bug References: 1212375, 1213170, 1213171, 1213172, 1213173, 1213174, 1213384, 1213386 CVE References: CVE-2020-25720, CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968 Sources used: openSUSE Leap 15.5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 Basesystem Module 15-SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:2930-1: An update that solves four vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1213171, 1213172, 1213173, 1213174, 1213384 CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968 Sources used: openSUSE Leap 15.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 openSUSE Leap Micro 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 openSUSE Leap Micro 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 SUSE Linux Enterprise Micro 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 Basesystem Module 15-SP4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.