Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2222794 (CVE-2023-34967) - CVE-2023-34967 samba: type confusion in mdssvc RPC service for spotlight
Summary: CVE-2023-34967 samba: type confusion in mdssvc RPC service for spotlight
Keywords:
Status: NEW
Alias: CVE-2023-34967
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2222896 2222894 2222895 2224252
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-07-13 18:08 UTC by TEJ RATHI
Modified: 2024-01-30 13:24 UTC (History)
9 users (show)

Fixed In Version: samba 4.16.11, samba 4.17.10, samba 4.18.5
Doc Type: If docs needed, set a value
Doc Text:
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:6667 0 None None None 2023-11-07 08:22:28 UTC
Red Hat Product Errata RHSA-2023:7139 0 None None None 2023-11-14 15:22:04 UTC
Red Hat Product Errata RHSA-2024:0423 0 None None None 2024-01-24 16:48:22 UTC
Red Hat Product Errata RHSA-2024:0580 0 None None None 2024-01-30 13:24:31 UTC

Description TEJ RATHI 2023-07-13 18:08:16 UTC 
Missing type validation in Samba's mdssvc RPC service for Spotlight can be used by an unauthenticated attacker to trigger
a process crash in a shared RPC mdssvc worker process.

As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker.
Comment 2 TEJ RATHI 2023-07-20 09:24:54 UTC 
This CVE is public now - https://www.samba.org/samba/security/CVE-2023-34967.html
Comment 3 TEJ RATHI 2023-07-20 09:33:09 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2224252]
Comment 4 errata-xmlrpc 2023-11-07 08:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6667 https://access.redhat.com/errata/RHSA-2023:6667
Comment 5 errata-xmlrpc 2023-11-14 15:22:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7139 https://access.redhat.com/errata/RHSA-2023:7139
Comment 7 errata-xmlrpc 2024-01-24 16:48:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0423 https://access.redhat.com/errata/RHSA-2024:0423
Comment 8 errata-xmlrpc 2024-01-30 13:24:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0580 https://access.redhat.com/errata/RHSA-2024:0580
Note You need to log in before you can comment on or make changes to this bug.