CVE-2023-34967
Published: 20 July 2023
Summary
CVE-2023-34967 is a medium-severity Type Confusion (CWE-843) vulnerability in Samba Samba. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A Type Confusion vulnerability exists in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, the dalloc_value_for_key() function returns objects from a key-value dictionary without sufficient type checking by callers. This allows an invalid pointer to reach talloc_get_size(), triggering a crash. The affected component is the shared RPC worker process that handles multiple client connections.
An unauthenticated remote attacker can send specially crafted Spotlight mdssvc RPC packets to induce the crash. Because the worker process is shared, the denial of service affects all other clients served by that worker. The vulnerability requires no privileges or user interaction and carries a CVSS score of 5.3 with an availability impact.
Red Hat has published multiple errata (RHSA-2023:6667, RHSA-2023:7139, RHSA-2024:0423, and RHSA-2024:0580) that supply patched Samba packages to address the issue. Administrators should apply the relevant updates for their distributions.
The EPSS score has reached a peak of 0.2117 with a current value of 0.1920. No information is provided on observed real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39006
Vulnerability details
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any…
more
of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.