Samba: type confusion in mdssvc rpc service for spotlight
CVE-2023-34967

5.3MEDIUM

Key Information:

Vendor
Red Hat
Status
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.6 Extended Update Support
Red Hat Enterprise Linux 8.8 Extended Update Support
Red Hat Enterprise Linux 9
Vendor
CVE Published:
20 July 2023

Summary

A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.

Affected Version(s)

Red Hat Enterprise Linux 8 0:4.18.6-1.el8

Red Hat Enterprise Linux 8 0:4.18.6-1.el8

Red Hat Enterprise Linux 8.6 Extended Update Support 0:4.15.5-15.el8_6

References

https://access.redhat.com/errata/RHSA-2023:6667
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:7139
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:0423
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.