CVE-2021-3738

NameCVE-2021-3738
DescriptionIn DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5003-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)jessie, jessie (lts)2:4.2.14+dfsg-0+deb8u16vulnerable
stretch (security)2:4.5.16+dfsg-1+deb9u4vulnerable
stretch (lts), stretch2:4.5.16+dfsg-1+deb9u5vulnerable
buster (security), buster, buster (lts)2:4.9.5+dfsg-5+deb10u5vulnerable
bullseye (security), bullseye2:4.13.13+dfsg-1~deb11u6fixed
bookworm (security), bookworm2:4.17.12+dfsg-0+deb12u1fixed
sid, trixie2:4.21.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasourcebullseye2:4.13.13+dfsg-1~deb11u2DSA-5003-1
sambasource(unstable)2:4.13.14+dfsg-1

Notes

[buster] - samba <ignored> (Domain controller functionality is EOLed, see DSA-5015-1)
https://bugzilla.samba.org/show_bug.cgi?id=14468
https://www.samba.org/samba/security/CVE-2021-3738.html
[stretch] - samba <ignored> (Minor issue; affects Samba as AD DC; EOLed)
[jessie] - samba <ignored> (Minor issue; affects Samba as AD DC; EOLed)
Search for package or bug name: Reporting problems