CVE-2023-34967

2023-07-2015:15:11

Debian Security Bug Tracker

security-tracker.debian.org

type confusion

samba

mdssvc rpc

spotlight

rpc packets

type checking

dalloc_value_for_key

talloc_get_size

rpc worker process

shared

malicious client

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.041 Low

EPSS

Percentile

92.2%

JSON

A Type Confusion vulnerability was found in Samba’s mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.

OSVersionArchitecturePackageVersionFilename
Debian12allsamba< 2:4.17.10+dfsg-0+deb12u1samba_2:4.17.10+dfsg-0+deb12u1_all.deb
Debian11allsamba< 2:4.13.13+dfsg-1~deb11u6samba_2:4.13.13+dfsg-1~deb11u6_all.deb
Debian999allsamba< 2:4.18.5+dfsg-1samba_2:4.18.5+dfsg-1_all.deb
Debian13allsamba< 2:4.18.5+dfsg-1samba_2:4.18.5+dfsg-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	samba	< 2:4.17.10+dfsg-0+deb12u1	samba_2:4.17.10+dfsg-0+deb12u1_all.deb
Debian	11	all	samba	< 2:4.13.13+dfsg-1~deb11u6	samba_2:4.13.13+dfsg-1~deb11u6_all.deb
Debian	999	all	samba	< 2:4.18.5+dfsg-1	samba_2:4.18.5+dfsg-1_all.deb
Debian	13	all	samba	< 2:4.18.5+dfsg-1	samba_2:4.18.5+dfsg-1_all.deb