CVE-2023-34967: 
Samba vulnerability analysis and mitigation

A Type Confusion vulnerability (CVE-2023-34967) was discovered in Samba's mdssvc RPC service for Spotlight. The vulnerability was found in all versions of Samba prior to 4.18.5, 4.17.10, and 4.16.11. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol (Samba Advisory).

The vulnerability stems from a lack of type checking in callers of the dallocvalueforkey() function, which returns the object associated with a key. This can trigger a crash in tallocget_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD).

Since RPC worker processes are shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves. This can result in a denial of service condition for legitimate users (Samba Advisory).

As a possible workaround, administrators can disable Spotlight by removing all configuration stanzas that enable Spotlight ("spotlight = yes|true"). For a permanent fix, users should upgrade to Samba versions 4.18.5, 4.17.10, or 4.16.11 which contain patches addressing this vulnerability (Samba Advisory).