CVE-2021-3738 : In DCE/RPC it is possible to share the handles (cookies for resource state) betw

In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials state was only pointed at, and when one connection within that association group ended, the database would be left pointing at an invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-after-free could instead allow different user state to be pointed at and this might allow more privileged access.

Published 2022-03-02 23:15:09

Updated 2023-09-17 09:15:10

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory Corruption

Products affected by CVE-2021-3738

Samba » Samba
Versions from including (>=) 4.15.0 and before (<) 4.15.2
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
Matching versions
Samba » Samba
Versions from including (>=) 4.0.0 and before (<) 4.13.14
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
Matching versions
Samba » Samba
Versions from including (>=) 4.14.0 and before (<) 4.14.10
cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-3738

Top countries where our scanners detected CVE-2021-3738

Top open port discovered on systems with this issue 445

IPs affected by CVE-2021-3738 218,413

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-3738!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-3738

EPSS FAQ

0.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 53 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-3738

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-3738

CWE-416 Use After Free

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)

References for CVE-2021-3738

https://www.samba.org/samba/security/CVE-2021-3738.html

Vendor Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14468

Issue Tracking;Patch;Vendor Advisory
https://security.gentoo.org/glsa/202309-06

Samba: Multiple Vulnerabilities (GLSA 202309-06) — Gentoo security

CVEs referencing this url
https://bugzilla.redhat.com/show_bug.cgi?id=2021726

2021726 – (CVE-2021-3738) CVE-2021-3738 samba: Use after free in Samba AD DC RPC server
Issue Tracking;Third Party Advisory