CVE-2023-34966: high-severity vulnerability in Samba

Samba, a popular freeware implementation of the Server Message Block (SMB) protocol, has released software updates to address multiple security vulnerabilities. If successfully exploited, these vulnerabilities could allow remote attackers to crash the system on affected installations.

The most serious vulnerability, CVE-2023-34966 (CVSS score of 7.5), is an infinite loop vulnerability in Samba’s mdssvc RPC service for Spotlight. This vulnerability affects all versions of Samba prior to 4.18.5, 4.17.10, and 4.16.11.

Like a misstep in a dance, an error in parsing Spotlight mdssvc RPC packets triggers a core unmarshalling function, `sl_unpack_loop()`, to ignore the validation of a field within the network packet. This field encompasses the count of elements in an array-like structure. By passing 0 as the count value, the assaulted function embarks on a never-ending dance, spiralling into an endless loop while greedily consuming 100% CPU. This critical bug casts a shadow over servers where Spotlight is either enabled globally or on individual shares with “spotlight = yes“, as per the advisory of CVE-2023-34966 published on July 19.

The other four vulnerabilities addressed by the Samba security updates are:

1. CVE-2022-2031 (CVSS score of 5.9)**: This vulnerability orchestrates an out-of-bounds read, enabling Samba AD users to sidestep restrictions tied to password changes (Fixed in Samba versions 4.16.4, 4.15.9, and 4.14.14).
2. CVE-2023-3347 (CVSS score of 5.9)**: A flaw was discovered in Samba’s SMB2 packet signing mechanism, creating an opportunity for attackers to perform acts such as a man-in-the-middle attack (Fixed in Samba versions 4.18.5, 4.17.10 and 4.16.11).
3. CVE-2023-34967 (CVSS score of 5.3)**: This Type Confusion vulnerability grants attackers the ability to trigger a process crash in a shared RPC mdssvc worker process, impacting all other clients this worker serves (Fixed in Samba versions 4.18.5, 4.17.10 and 4.16.11).
4. CVE-2023-34968 (CVSS score of 5.3)**: A path disclosure vulnerability allows attackers a backstage pass to view the information (Fixed in Samba versions 4.18.5, 4.17.10, and 4.16.11).

Samba administrators are recommended to upgrade to the latest version of Samba or apply the security updates as soon as possible to mitigate these vulnerabilities.