Details
VuXML ID
441e1e1a-27a5-11ee-a156-080027f5fec9
Discovery
2023-07-19
Entry
2023-08-05
The Samba Team reports:
CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker.
CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. If the system is running Samba's ntlm_auth as authentication backend for services like Squid (or a very unusual configuration with FreeRADIUS), the vulnarebility is remotely exploitable If not so configured, or to exploit this vulnerability locally, the user must have access to the privileged winbindd UNIX domain socket (a subdirectory with name 'winbindd_privileged' under "state directory", as set in the smb.conf). This access is normally only given so special system services like Squid or FreeRADIUS, that use this feature.
CVE-2023-34968: Spotlight server-side Share Path Disclosure
As ..
Support the originator by clicking the read the rest link below.
