Samba Spotlight mdssvc RPC Request Type

Description

When parsing Spotlight mdssvc RPC packets, one encoded data
structure is a key-value style dictionary where the keys
are character strings and the values can be any of the
supported types in the mdssvc protocol. Due to a lack of
type checking in callers of the function
dalloc_value_for_key(), which returns the object associated
with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed in
pointer is not a valid talloc pointer.

As RPC worker processes are shared among multiple client
connections, a malicious client can crash the worker process
affecting all other clients that are also served by this worker.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
as security releases to correct the defect. Samba administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.

CVSSv3 calculation

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3)

Workaround

As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight (“spotlight =
yes|true”).

Credits

Originally reported by Florent Saudel and Arnaud Gatignolof
the Thalium team working with Trend Micro Zero Day
Initiative.

Patches provided by Ralph Boehme of SerNet and the Samba
team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team