The Samba-Bugzilla – Attachment 16886 Details for
Bug 14468
CVE-2021-3738 [SECURITY] crash in dsdb stack
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory test (v03)
CVE-2021-3738-dsdb-crash-03.txt (text/plain), 1.93 KB, created by
Douglas Bagnall
on 2021-10-28 22:30:25 UTC
(
hide
)
Description:
advisory test (v03)
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2021-10-28 22:30:25 UTC
Size:
1.93 KB
patch
obsolete
>=========================================================== >== Subject: Use after free in Samba AD DC RPC server >== >== CVE ID#: CVE-2021-3738 >== >== Versions: All versions of Samba since Samba 4.0 >== >== Summary: The AD DC RPC server can use memory that was > free()ed when a sub-connection is closed >=========================================================== > >=========== >Description >=========== > >In DCE/RPC it is possible to share the handles (cookies for resource >state) between multiple connections via a mechanism called >'association groups'. These handles can reference connections to our >sam.ldb database. However while the database was correctly shared, the >user credentials state was only pointed at, and when one connection >within that association group ended, the database would be left >pointing at an invalid 'struct session_info'. > >The most likely outcome here is a crash, but it is possible that the >use-after-free could instead allow different user state to be pointed >at and this might allow more privileged access. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSSv3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H (7.6) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by William Ross, City West Country Ltd. > >Patches provided by Stefan Metzmacher of SerNet and the Samba Team. >Advisory and backport by Andrew Bartlett of Catalyst and the Samba >Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16886">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
metze
:
review+
Actions:
View
Attachments on
bug 14468
:
16718
|
16820
|
16821
|
16822
|
16823
|
16824
|
16827
|
16828
|
16829
|
16830
| 16886 |
16971
|
16975