CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
93.4%
When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.
This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
“spotlight = yes”.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been
issued as security releases to correct the defect. Samba
administrators are advised to upgrade to these releases or
apply the patch as soon as possible.
CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)
As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight (“spotlight =
yes|true”).
Originally reported by Florent Saudel of the Thalium team
working with Trend Micro Zero Day Initiative.
Patches provided by Ralph Boehme of SerNet and the Samba
team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team