CVE-2023-34966
📋 TL;DR
This CVE describes an infinite loop vulnerability in Samba's mdssvc RPC service for Spotlight. Attackers can send specially crafted RPC packets with a zero count value, causing the service to consume 100% CPU and resulting in denial of service. Any system running vulnerable Samba versions with Spotlight enabled is affected.
💻 Affected Systems
- Samba
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Samba by Samba
Samba by Samba
Samba by Samba
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service on the Samba server, making file shares inaccessible and consuming all CPU resources until manual intervention.
Likely Case
Service disruption on affected Samba servers, requiring restart of the smbd service to restore functionality.
If Mitigated
Minimal impact if patched or if Spotlight functionality is disabled.
🎯 Exploit Status
Exploitation requires network access to Samba's RPC service and valid Samba credentials. The vulnerability is simple to trigger with crafted packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Samba 4.18.6, 4.17.10, 4.16.14 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:6667
Restart Required: Yes
Instructions:
1. Update Samba packages using your distribution's package manager. 2. For RHEL/CentOS: 'yum update samba'. 3. For Debian/Ubuntu: 'apt update && apt upgrade samba'. 4. Restart smbd service: 'systemctl restart smbd'.
🔧 Temporary Workarounds
Disable Spotlight functionality
linuxDisable the vfs_fruit module or Spotlight metadata sharing to prevent exploitation.
Edit smb.conf and remove or comment out 'vfs objects = fruit'
Set 'fruit:metadata = none' and 'fruit:resource = none' in smb.conf
Restrict RPC access
linuxLimit access to Samba RPC services using firewall rules.
iptables -A INPUT -p tcp --dport 445 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP
🧯 If You Can't Patch
- Disable Spotlight functionality in Samba configuration
- Implement network segmentation to restrict access to Samba servers
🔍 How to Verify
Check if Vulnerable:
Check Samba version with 'smbd --version' and compare against patched versions. Also check if Spotlight is enabled in smb.conf.Check Version:
smbd --versionVerify Fix Applied:
Verify Samba version is 4.18.6/4.17.10/4.16.14 or later with 'smbd --version'. Test RPC functionality remains working.📡 Detection & Monitoring
Log Indicators:
- High CPU usage by smbd process
- Repeated RPC connection attempts to mdssvc
- Process restart logs for smbd service
Network Indicators:
- Unusual RPC traffic patterns to port 445
- Multiple malformed RPC packets to Samba services
SIEM Query:
source="samba.log" AND ("mdssvc" OR "high cpu" OR "smbd restart")🔗 References
- https://access.redhat.com/errata/RHSA-2023:6667
- https://access.redhat.com/errata/RHSA-2023:7139
- https://access.redhat.com/errata/RHSA-2024:0423
- https://access.redhat.com/errata/RHSA-2024:0580
- https://access.redhat.com/errata/RHSA-2024:4101
- https://access.redhat.com/security/cve/CVE-2023-34966
- https://bugzilla.redhat.com/show_bug.cgi?id=2222793
- https://www.samba.org/samba/security/CVE-2023-34966
- https://access.redhat.com/errata/RHSA-2023:6667
- https://access.redhat.com/errata/RHSA-2023:7139
- https://access.redhat.com/errata/RHSA-2024:0423
- https://access.redhat.com/errata/RHSA-2024:0580
- https://access.redhat.com/errata/RHSA-2024:4101
- https://access.redhat.com/security/cve/CVE-2023-34966
- https://bugzilla.redhat.com/show_bug.cgi?id=2222793
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT74M42E6C36W7PQVY3OS4ZM7DVYB64Z/
- https://security.netapp.com/advisory/ntap-20230731-0010/
- https://www.debian.org/security/2023/dsa-5477
- https://www.samba.org/samba/security/CVE-2023-34966
