CVE-2021-3738

NameCVE-2021-3738
DescriptionIn DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5003-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)bullseye (security), bullseye2:4.13.13+dfsg-1~deb11u6fixed
bookworm, bookworm (security)2:4.17.12+dfsg-0+deb12u1fixed
trixie2:4.21.2+dfsg-3fixed
sid2:4.21.2+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasourcebullseye2:4.13.13+dfsg-1~deb11u2DSA-5003-1
sambasource(unstable)2:4.13.14+dfsg-1

Notes

[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
https://bugzilla.samba.org/show_bug.cgi?id=14468
https://www.samba.org/samba/security/CVE-2021-3738.html

Search for package or bug name: Reporting problems