CVE-2023-34966

2023-07-2015:15:11

Google

osv.dev

samba

spotlight

rpc

infinite loop

vulnerability

denial of service

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.033 Low

EPSS

Percentile

91.4%

JSON

An infinite loop vulnerability was found in Samba’s mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.

CPENameOperatorVersion
sambaeqldb-1.1.30
sambaeqsamba-4.12.0rc1
sambaeqsamba-4.16.6
sambaeqsamba-4.0.0beta6
sambaeqsamba-4.5.0rc1
sambaeqtalloc-2.1.11
sambaeqtdb-1.3.8
sambaeqtalloc-2.1.13
sambaeqtdb-1.3.14
sambaeqtdb-1.3.4

Name	Operator	Version
samba	eq	ldb-1.1.30
samba	eq	samba-4.12.0rc1
samba	eq	samba-4.16.6
samba	eq	samba-4.0.0beta6
samba	eq	samba-4.5.0rc1
samba	eq	talloc-2.1.11
samba	eq	tdb-1.3.8
samba	eq	talloc-2.1.13
samba	eq	tdb-1.3.14
samba	eq	tdb-1.3.4