Samba Spotlight mdssvc RPC Request Infinite

Description

When parsing Spotlight mdssvc RPC packets sent by the
client, the core unmarshalling function sl_unpack_loop()
did not validate a field in the network packet that
contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked
function will run in an endless loop consuming 100% CPU.

This bug only affects servers where Spotlight is
explicitly enabled globally or on individual shares with
“spotlight = yes”.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been
issued as security releases to correct the defect. Samba
administrators are advised to upgrade to these releases or
apply the patch as soon as possible.

CVSSv3 calculation

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

Workaround

As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight (“spotlight =
yes|true”).

Credits

Originally reported by Florent Saudel of the Thalium team
working with Trend Micro Zero Day Initiative.

Patches provided by Ralph Boehme of SerNet and the Samba
team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team