Login Sign Up

CVE-2020-25709

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2020-25709 is an assertion failure vulnerability in OpenLDAP's slapd server that allows remote attackers to crash the service by sending specially crafted packets. This affects all systems running vulnerable versions of OpenLDAP with slapd exposed. The primary impact is denial of service through service crashes.

💻 Affected Systems

Products:
  • OpenLDAP
Versions: OpenLDAP 2.4.0 through 2.4.57
Operating Systems: Linux, Unix, BSD variants, Any OS running OpenLDAP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects slapd servers; client libraries are not vulnerable. All configurations with slapd running are affected.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Jboss Core Services by Redhat

View all CVEs affecting Jboss Core Services →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of OpenLDAP directory services, potentially disrupting authentication, authorization, and directory-dependent applications across the organization.

🟠

Likely Case

Intermittent slapd crashes causing service disruptions, failed authentication attempts, and degraded directory service performance.

🟢

If Mitigated

Minimal impact if slapd is not exposed to untrusted networks and proper network segmentation is in place.

🌐 Internet-Facing: HIGH - Any internet-facing OpenLDAP server is directly vulnerable to unauthenticated DoS attacks.
🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to disrupt directory services.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is triggered by sending malformed packets to slapd, making exploitation straightforward. Public exploit details are available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenLDAP 2.4.58 or later

Vendor Advisory: https://www.openldap.org/software/release/changes.html

Restart Required: Yes

Instructions:

1. Download OpenLDAP 2.4.58+ from openldap.org. 2. Stop slapd service. 3. Install updated version. 4. Restart slapd service. 5. Verify service is running and responding.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to slapd ports (default 389/636) to trusted sources only using firewall rules.

iptables -A INPUT -p tcp --dport 389 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP

Rate Limiting

linux

Implement connection rate limiting to reduce impact of DoS attempts.

iptables -A INPUT -p tcp --dport 389 -m state --state NEW -m limit --limit 10/min --limit-burst 20 -j ACCEPT

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate OpenLDAP servers from untrusted networks.
  • Deploy intrusion prevention systems (IPS) with rules to detect and block malformed LDAP packets.

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version: slapd -VV 2>&1 | grep -i 'openldap' and compare to affected versions (2.4.0-2.4.57).

Check Version:

slapd -VV 2>&1 | grep -i 'openldap'

Verify Fix Applied:

Verify version is 2.4.58 or later with slapd -VV and test service functionality with ldapsearch -x -b '' -s base.

📡 Detection & Monitoring

Log Indicators:

  • slapd crash logs
  • assertion failure messages in syslog
  • unexpected slapd restarts

Network Indicators:

  • Unusual volume of malformed LDAP packets to port 389/636
  • LDAP protocol violations

SIEM Query:

source="syslog" AND ("slapd" AND ("assertion" OR "crash" OR "segfault"))

📊 Metadata

CVE ID: CVE-2020-25709
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: May 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-25709, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)