CVE-2021-3738 – CVE-2021-3738 is a use-after-free vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-3738?

CVE-2021-3738 has a CVSS score of 8.8 (HIGH). CVE-2021-3738 is a use-after-free vulnerability in Samba's DCE/RPC implementation where shared database handles can reference invalid user credential state after connection termination. This could lead to crashes or potentially allow privilege escalation by pointing to different user state. Organizations running vulnerable Samba versions are affected.

📋 TL;DR

CVE-2021-3738 is a use-after-free vulnerability in Samba's DCE/RPC implementation where shared database handles can reference invalid user credential state after connection termination. This could lead to crashes or potentially allow privilege escalation by pointing to different user state. Organizations running vulnerable Samba versions are affected.

💻 Affected Systems

Products:

Samba

Versions: Samba 4.13.0 through 4.13.17, 4.14.0 through 4.14.12, and 4.15.0 through 4.15.5

Operating Systems: Linux/Unix systems running Samba, Windows systems with Samba installed

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Samba AD DC configurations using DCE/RPC with association groups. Standalone file servers without AD DC role are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privilege escalation allowing attackers to gain administrative access to Samba servers and potentially compromise domain controllers or sensitive file shares.

🟠

Likely Case

Service crashes leading to denial of service and disruption of file sharing, authentication, and directory services.

🟢

If Mitigated

Limited impact with proper network segmentation, access controls, and monitoring in place.

🌐 Internet-Facing: MEDIUM - Samba services exposed to internet could be targeted, but exploitation requires specific conditions and access.

🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this to escalate privileges within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires authenticated access and specific conditions with association groups. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Samba 4.13.18, 4.14.13, 4.15.6 and later

Vendor Advisory: https://www.samba.org/samba/security/CVE-2021-3738.html

Restart Required: Yes

Instructions:

1. Identify Samba version with 'smbd -V'. 2. Update using package manager: 'apt update && apt upgrade samba' (Debian/Ubuntu) or 'yum update samba' (RHEL/CentOS). 3. Restart Samba services: 'systemctl restart smbd nmbd winbind' or 'service samba restart'.

🔧 Temporary Workarounds

Disable AD DC role if not needed

linux

If Samba is only used as file server without Active Directory Domain Controller functionality, disable AD DC role to remove vulnerable component.

# Check if AD DC is enabled
samba-tool domain level show
# To disable AD DC, reconfigure Samba as standalone server

Network segmentation

linux

Restrict access to Samba DCE/RPC ports (135, 139, 445) to trusted networks only.

# Example iptables rule to restrict port 445
iptables -A INPUT -p tcp --dport 445 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 445 -j DROP

🧯 If You Can't Patch

Implement strict access controls to limit which users can authenticate to Samba services
Monitor for unusual authentication patterns or service crashes that might indicate exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Run 'smbd -V' and check if version is between 4.13.0-4.13.17, 4.14.0-4.14.12, or 4.15.0-4.15.5. Also verify AD DC role is enabled with 'samba-tool domain level show'.

Check Version:

smbd -V

Verify Fix Applied:

After patching, verify version is 4.13.18+, 4.14.13+, or 4.15.6+ with 'smbd -V'. Test Samba services are functioning normally.

📡 Detection & Monitoring

Log Indicators:

Samba service crashes in system logs
Unusual authentication patterns in Samba logs
Errors related to 'struct session_info' or association groups

Network Indicators:

Multiple DCE/RPC connections from single source with different credentials
Unusual traffic patterns on ports 135, 139, 445

SIEM Query:

source="samba.log" AND ("crash" OR "segfault" OR "use-after-free" OR "association group")

📊 Metadata

CVE ID: CVE-2021-3738

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: March 2, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2021726 Issue Tracking,Third Party Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14468 Issue Tracking,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202309-06
https://www.samba.org/samba/security/CVE-2021-3738.html Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2021726 Issue Tracking,Third Party Advisory
https://bugzilla.samba.org/show_bug.cgi?id=14468 Issue Tracking,Patch,Vendor Advisory
https://security.gentoo.org/glsa/202309-06
https://www.samba.org/samba/security/CVE-2021-3738.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3738, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Samba by Samba

Samba by Samba

Samba by Samba

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable AD DC role if not needed

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities