CVSS: 5.9EPSS: 29%CPEs: 9EXPL: 0CVE-2023-34967 – Samba: type confusion in mdssvc rpc service for spotlight
https://notcve.org/view.php?id=CVE-2023-34967
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Samba. • https://access.redhat.com/errata/RHSA-2023:6667 https://access.redhat.com/errata/RHSA-2023:7139 https://access.redhat.com/errata/RHSA-2024:0423 https://access.redhat.com/errata/RHSA-2024:0580 https://access.redhat.com/security/cve/CVE-2023-34967 https://bugzilla.redhat.com/show_bug.cgi?id=2222794 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject. • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 7.5EPSS: 12%CPEs: 9EXPL: 0CVE-2023-34966 – Samba: infinite loop in mdssvc rpc service for spotlight
https://notcve.org/view.php?id=CVE-2023-34966
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Samba. • https://access.redhat.com/errata/RHSA-2023:6667 https://access.redhat.com/errata/RHSA-2023:7139 https://access.redhat.com/errata/RHSA-2024:0423 https://access.redhat.com/errata/RHSA-2024:0580 https://access.redhat.com/errata/RHSA-2024:4101 https://access.redhat.com/security/cve/CVE-2023-34966 https://bugzilla.redhat.com/show_bug.cgi?id=2222793 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC https://lists.fedoraproje • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-45141
https://notcve.org/view.php?id=CVE-2022-45141
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). Dado que la vulnerabilidad de elevación de privilegios de Windows Kerberos RC4-HMAC fue revelada por Microsoft el 8 de noviembre de 2022 y según RFC8429 se asume que rc4-hmac es débil, los DC de Directorio Activo Samba vulnerables emitirán tickets cifrados rc4-hmac a pesar de que el servidor de destino admita un cifrado mejor (por ejemplo, aes256-cts-hmac-sha1-96). • https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2022-45141.html • CWE-326: Inadequate Encryption Strength CWE-328: Use of Weak Hash •
CVSS: 8.8EPSS: 1%CPEs: 7EXPL: 1CVE-2022-42898 – krb5: integer overflow vulnerabilities in PAC parsing
https://notcve.org/view.php?id=CVE-2022-42898
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug." El análisis sintáctico de PAC en MIT Kerberos 5 (también conocido como krb5) antes de 1.19.4 y 1.20.x antes de 1.20.1 tiene desbordamientos de enteros que pueden conducir a la ejecución remota de código (en KDC, kadmind, o un servidor de aplicaciones GSS o Kerberos) en plataformas de 32 bits (que tienen un desbordamiento de búfer resultante), y causar una denegación de servicio en otras plataformas. Esto ocurre en krb5_pac_parse en lib/krb5/krb/pac.c. • https://bugzilla.samba.org/show_bug.cgi?id=15203 https://github.com/heimdal/heimdal/security/advisories/GHSA-64mq-fvfj-5x3c https://github.com/krb5/krb5/commit/ea92d2f0fcceb54a70910fa32e9a0d7a5afc3583 https://security.gentoo.org/glsa/202309-06 https://security.gentoo.org/glsa/202310-06 https://security.netapp.com/advisory/ntap-20230216-0008 https://security.netapp.com/advisory/ntap-20230223-0001 https://web.mit.edu/kerberos/advisories https://web.mit.edu/kerberos/krb5-1.19 https://web& • CWE-190: Integer Overflow or Wraparound •
CVSS: 5.9EPSS: 4%CPEs: 3EXPL: 0CVE-2022-32742 – Samba SMB1 Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-32742
A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer). Se ha encontrado un fallo en Samba. Algunas solicitudes de escritura de SMB1 no son comprobaban correctamente para asegurar que el cliente había enviado suficientes datos para completar la escritura, lo que permitía que el contenido de la memoria del servidor fuera escrita en el archivo (o impresora) en lugar de los datos proporcionados por el cliente. • https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2022-32742.html https://access.redhat.com/security/cve/CVE-2022-32742 https://bugzilla.redhat.com/show_bug.cgi?id=2108196 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •