===========================================================
== Subject:     Use after free in Samba AD DC RPC server
==
== CVE ID#:     CVE-2021-3738
==
== Versions:    All versions of Samba since Samba 4.0
==
== Summary:     The AD DC RPC server can use memory that was
                free()ed when a sub-connection is closed
===========================================================

===========
Description
===========

In DCE/RPC it is possible to share the handles (cookies for resource
state) between multiple connections via a mechanism called
'association groups'. These handles can reference connections to our
sam.ldb database. However while the database was correctly shared, the
user credentials state was only pointed at, and when one connection
within that association group ended, the database would be left
pointing at an invalid 'struct session_info'.

The most likely outcome here is a crash, but it is possible that the
use-after-free could instead allow different user state to be pointed
at and this might allow more privileged access.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (7.6)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by William Ross, City West Country Ltd.

Patches provided by Stefan Metzmacher of SerNet and the Samba Team.
Advisory and backport by Andrew Bartlett of Catalyst and the Samba
Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================