CVE-2023-34967
Samba: type confusion in mdssvc rpc service for spotlight
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Samba. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the parsing of Spotlight RPC arguments. Crafted arguments can force the server into an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the service.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-06-07 CVE Reserved
- 2023-07-20 CVE Published
- 2024-09-16 CVE Updated
- 2024-11-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CAPEC
References (11)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/errata/RHSA-2023:6667 | 2024-01-30 | |
https://access.redhat.com/errata/RHSA-2023:7139 | 2024-01-30 | |
https://access.redhat.com/errata/RHSA-2024:0423 | 2024-01-30 | |
https://access.redhat.com/errata/RHSA-2024:0580 | 2024-01-30 | |
https://access.redhat.com/security/cve/CVE-2023-34967 | 2024-01-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2222794 | 2024-01-30 | |
https://www.samba.org/samba/security/CVE-2023-34967.html | 2024-01-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | < 4.16.11 Search vendor "Samba" for product "Samba" and version " < 4.16.11" | - |
Affected
| ||||||
Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | >= 4.17.0 < 4.17.10 Search vendor "Samba" for product "Samba" and version " >= 4.17.0 < 4.17.10" | - |
Affected
| ||||||
Samba Search vendor "Samba" | Samba Search vendor "Samba" for product "Samba" | >= 4.18.0 < 4.18.5 Search vendor "Samba" for product "Samba" and version " >= 4.18.0 < 4.18.5" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 37 Search vendor "Fedoraproject" for product "Fedora" and version "37" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 38 Search vendor "Fedoraproject" for product "Fedora" and version "38" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0" | - |
Affected
|