CVE-2021-3738 : In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism

In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.

Published 2022-03-02 23:15:09

Updated 2023-09-17 09:15:10

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Threat overview for CVE-2021-3738

Top countries where our scanners detected CVE-2021-3738

Top open port discovered on systems with this issue 445

IPs affected by CVE-2021-3738 143,465

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-3738!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-3738

Probability of exploitation activity in the next 30 days: 0.23%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 61 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-3738

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-3738

CWE-416 Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-3738

https://www.samba.org/samba/security/CVE-2021-3738.html

Vendor Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14468

Issue Tracking;Patch;Vendor Advisory
https://security.gentoo.org/glsa/202309-06

Samba: Multiple Vulnerabilities (GLSA 202309-06) — Gentoo security

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=2021726

2021726 – (CVE-2021-3738) CVE-2021-3738 samba: Use after free in Samba AD DC RPC server
Issue Tracking;Third Party Advisory

Products affected by CVE-2021-3738