CVE-2020-12243
📋 TL;DR
This vulnerability in OpenLDAP's slapd daemon allows attackers to crash the LDAP service by sending specially crafted search filters with nested boolean expressions. This affects all OpenLDAP servers running versions before 2.4.50. The denial of service can disrupt authentication and directory services.
💻 Affected Systems
- OpenLDAP slapd
📦 What is this software?
Brocade Fabric Operating System by Broadcom
Leap by Opensuse
Openldap by Openldap
Solaris by Oracle
Solaris by Oracle
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete LDAP service outage affecting authentication, authorization, and directory lookups for all dependent applications and users.
Likely Case
Service disruption requiring manual restart of slapd, causing temporary authentication failures for users and applications.
If Mitigated
Minimal impact with proper monitoring and automated restart mechanisms in place.
🎯 Exploit Status
The vulnerability is simple to exploit by sending malformed LDAP search filters. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.50 and later
Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9202
Restart Required: Yes
Instructions:
1. Download OpenLDAP 2.4.50 or later from openldap.org. 2. Stop slapd service. 3. Install the new version. 4. Restart slapd service.
🔧 Temporary Workarounds
Filter validation via proxy
allDeploy an LDAP proxy that validates and filters incoming search requests before forwarding to OpenLDAP.
Rate limiting
linuxImplement network-level rate limiting to prevent rapid exploitation attempts.
iptables -A INPUT -p tcp --dport 389 -m limit --limit 10/min -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to LDAP servers
- Deploy monitoring with automatic restart scripts for slapd crashes
🔍 How to Verify
Check if Vulnerable:
Check OpenLDAP version: slapd -VV 2>&1 | grep 'OpenLDAP'Check Version:
slapd -VV 2>&1 | grep 'OpenLDAP'Verify Fix Applied:
Verify version is 2.4.50 or higher and test with known malicious search filters.📡 Detection & Monitoring
Log Indicators:
- slapd crash logs
- segmentation fault errors in system logs
- unexpected slapd process termination
Network Indicators:
- Multiple LDAP search requests with complex nested filters
- Unusual spike in LDAP traffic followed by service unavailability
SIEM Query:
source="slapd.log" AND ("segmentation fault" OR "crash" OR "terminated")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.html
- https://bugs.openldap.org/show_bug.cgi?id=9202
- https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES
- https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440
- https://lists.debian.org/debian-lts-announce/2020/05/msg00001.html
- https://security.netapp.com/advisory/ntap-20200511-0003/
- https://support.apple.com/kb/HT211289
- https://usn.ubuntu.com/4352-1/
- https://usn.ubuntu.com/4352-2/
- https://www.debian.org/security/2020/dsa-4666
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00016.html
- https://bugs.openldap.org/show_bug.cgi?id=9202
- https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_4/CHANGES
- https://git.openldap.org/openldap/openldap/-/commit/98464c11df8247d6a11b52e294ba5dd4f0380440
- https://lists.debian.org/debian-lts-announce/2020/05/msg00001.html
- https://security.netapp.com/advisory/ntap-20200511-0003/
- https://support.apple.com/kb/HT211289
- https://usn.ubuntu.com/4352-1/
- https://usn.ubuntu.com/4352-2/
- https://www.debian.org/security/2020/dsa-4666
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
