CVE-2021-3738 - OpenCVE

In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Samba	Samba

Configuration 1 [-]

OR	cpe:2.3:a:samba:samba::::::::
	cpe:2.3:a:samba:samba::::::::
	cpe:2.3:a:samba:samba::::::::

No data.

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=2021726
https://bugzilla.samba.org/show_bug.cgi?id=14468
https://nvd.nist.gov/vuln/detail/CVE-2021-3738
https://security.gentoo.org/glsa/202309-06
https://www.cve.org/CVERecord?id=CVE-2021-3738
https://www.samba.org/samba/security/CVE-2021-3738.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-03-02T00:00:00

Updated: 2024-08-03T17:01:07.949Z

Reserved: 2021-08-26T00:00:00

Link: CVE-2021-3738

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-03-02T23:15:09.070

Modified: 2023-09-17T09:15:09.923

Link: CVE-2021-3738

Redhat

Severity : Moderate

Publid Date: 2021-11-09T00:00:00Z

Links: CVE-2021-3738 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-3738", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:01:07.949Z", "dateReserved": "2021-08-26T00:00:00", "datePublished": "2022-03-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-09-17T08:06:18.717152"}, "descriptions": [{"lang": "en", "value": "In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access."}], "affected": [{"vendor": "n/a", "product": "samba", "versions": [{"version": "Affects all versions since samba 4.0 | Fixedin samba v4.15.2, v4.14.10 and v4.13.14", "status": "affected"}]}], "references": [{"url": "https://www.samba.org/samba/security/CVE-2021-3738.html"}, {"url": "https://bugzilla.samba.org/show_bug.cgi?id=14468"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726"}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202309-06"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-416 - Use After Free", "cweId": "CWE-416"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.949Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.samba.org/samba/security/CVE-2021-3738.html", "tags": ["x_transferred"]}, {"url": "https://bugzilla.samba.org/show_bug.cgi?id=14468", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726", "tags": ["x_transferred"]}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202309-06"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "90E25F32-0EA6-4663-8031-D7473716820A", "versionEndExcluding": "4.13.14", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2BD5F53-14DC-4BBF-8E5D-A1DBD24B5F02", "versionEndExcluding": "4.14.10", "versionStartIncluding": "4.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "8F33C9B3-33EE-431B-93CF-B738D05BBD0A", "versionEndExcluding": "4.15.2", "versionStartIncluding": "4.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access."}, {"lang": "es", "value": "En DCE/RPC es posible compartir los manejadores (cookies para el estado de los recursos) entre m\u00faltiples conexiones por medio de un mecanismo llamado \"association groups\". Estos manejadores pueden hacer referencia a conexiones a nuestra base de datos sam.ldb. Sin embargo, mientras la base de datos era compartida correctamente, el estado de las credenciales del usuario s\u00f3lo era apuntado, y cuando una conexi\u00f3n dentro de ese grupo de asociaci\u00f3n terminaba, la base de datos quedaba apuntando a una \"struct session_info\" no v\u00e1lida. El resultado m\u00e1s probable en este caso es un bloqueo, pero es posible que un uso de memoria previamente liberada permita apuntar a un estado de usuario diferente y esto podr\u00eda permitir un acceso m\u00e1s privilegiado"}], "id": "CVE-2021-3738", "lastModified": "2023-09-17T09:15:09.923", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-03-02T23:15:09.070", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugzilla.samba.org/show_bug.cgi?id=14468"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202309-06"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2021-3738.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank William Ross (City West Country Ltd.) for reporting this issue. Upstream acknowledges the Samba project as the original reporter.", "bugzilla": {"description": "samba: Use after free in Samba AD DC RPC server", "id": "2021726", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2021726"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access."], "name": "CVE-2021-3738", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba4", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}], "public_date": "2021-11-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-3738\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3738\nhttps://www.samba.org/samba/security/CVE-2021-3738.html"], "threat_severity": "Moderate", "upstream_fix": "samba 4.15.2, samba 4.14.10, samba 4.13.14"}