CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS
Percentile
94.5%
When parsing Spotlight mdssvc RPC packets, one encoded data
structure is a key-value style dictionary where the keys
are character strings and the values can be any of the
supported types in the mdssvc protocol. Due to a lack of
type checking in callers of the function
dalloc_value_for_key(), which returns the object associated
with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer.
As RPC worker processes are shared among multiple client
connections, a malicious client can crash the worker process
affecting all other clients that are also served by this worker.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
as security releases to correct the defect. Samba administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.
CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3)
As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight (“spotlight =
yes|true”).
Originally reported by Florent Saudel and Arnaud Gatignolof
the Thalium team working with Trend Micro Zero Day
Initiative.
Patches provided by Ralph Boehme of SerNet and the Samba
team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team