The Samba-Bugzilla – Attachment 16830 Details for
Bug 14468
CVE-2021-3738 [SECURITY] crash in dsdb stack
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory text (v02)
CVE-2021-3738-dsdb-crash-02.txt (text/plain), 1.93 KB, created by
Andrew Bartlett
on 2021-09-28 08:42:40 UTC
(
hide
)
Description:
advisory text (v02)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-09-28 08:42:40 UTC
Size:
1.93 KB
patch
obsolete
>=========================================================== >== Subject: Use after free in Samba AD DC RPC server >== >== CVE ID#: CVE-2021-3738 >== >== Versions: All versions of Samba since Samba 4.0 >== >== Summary: The AD DC RPC server can use memory that was > free()ed when a sub-connection is closed >=========================================================== > >=========== >Description >=========== > >In DCE/RPC it is possible to share the handles (cookies for >resource state) between multiple connections via a mechanism >called 'association groups'. These handles can reference >connections to our sam.ldb database. However while the database >was correctly shared, the user credentials state was only pointed >at, and when one connection within that association group ended, >the database would be left pointing at an invalid >'struct session_info'. > >The most likely outcome here is a crash, but it is possible that the >use-after-free could instead allow different user state to be pointed >at and this might allow more privileged access. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (7.6) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by William Ross, City West Country Ltd. > >Patches provided by Stefan Metzmacher of SerNet and the Samba Team. >Advisory and backport by Andrew Bartlett of Catalyst and >the Samba Team > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14468
:
16718
|
16820
|
16821
|
16822
|
16823
|
16824
|
16827
|
16828
|
16829
|
16830
|
16886
|
16971
|
16975