CVE-2020-35775 – CVE-2020-35775 is an LDAP injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-35775?

CVE-2020-35775 has a CVSS score of 9.8 (CRITICAL). CVE-2020-35775 is an LDAP injection vulnerability in CITSmart ITSM software that allows attackers to manipulate LDAP queries through user input. This can lead to authentication bypass, unauthorized data access, or complete LDAP directory compromise. Organizations running affected CITSmart versions are vulnerable.

📋 TL;DR

CVE-2020-35775 is an LDAP injection vulnerability in CITSmart ITSM software that allows attackers to manipulate LDAP queries through user input. This can lead to authentication bypass, unauthorized data access, or complete LDAP directory compromise. Organizations running affected CITSmart versions are vulnerable.

💻 Affected Systems

Products:

CITSmart ITSM

Versions: All versions before 9.1.2.23

Operating Systems: Any OS running CITSmart

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the LDAP authentication component, affecting all deployments using LDAP integration.

📦 What is this software?

Citsmart by Citsmart

View all CVEs affecting Citsmart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete LDAP directory compromise allowing attackers to extract all user credentials, modify permissions, and gain domain administrator access in Active Directory environments.

🟠

Likely Case

Authentication bypass allowing unauthorized access to the CITSmart system and potentially other integrated systems using the same LDAP directory.

🟢

If Mitigated

Limited impact with proper input validation and LDAP query sanitization in place, potentially preventing successful exploitation.

🌐 Internet-Facing: HIGH if CITSmart is exposed to the internet, as LDAP injection can be exploited remotely without authentication.

🏢 Internal Only: HIGH even internally, as attackers with network access can exploit this vulnerability to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on Packet Storm Security demonstrates LDAP injection through login fields. Exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.2.23 and later

Vendor Advisory: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html

Restart Required: Yes

Instructions:

1. Backup current CITSmart installation and database. 2. Download version 9.1.2.23 or later from official vendor. 3. Follow upgrade instructions in release notes. 4. Restart application server. 5. Verify LDAP functionality post-upgrade.

🔧 Temporary Workarounds

Disable LDAP Authentication

all

Temporarily disable LDAP authentication and use local authentication only

Modify authentication configuration in CITSmart to use local database instead of LDAP

Network Segmentation

all

Restrict access to CITSmart LDAP ports from untrusted networks

Configure firewall rules to block external access to CITSmart LDAP ports (typically 389/636)

🧯 If You Can't Patch

Implement web application firewall (WAF) with LDAP injection rules to block malicious payloads
Enable detailed logging for all LDAP authentication attempts and monitor for suspicious patterns

🔍 How to Verify

Check if Vulnerable:

Check CITSmart version in administration panel or by examining application files. Versions below 9.1.2.23 are vulnerable.

Check Version:

Check CITSmart web interface admin panel or examine version files in installation directory

Verify Fix Applied:

After upgrading to 9.1.2.23 or later, test LDAP authentication functionality and verify version in administration panel.

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP query patterns in application logs
Failed authentication attempts with special characters in username field
Multiple authentication attempts from single IP with varying usernames

Network Indicators:

Unusual LDAP traffic patterns to/from CITSmart server
LDAP queries containing special characters like *, (, ), &, |

SIEM Query:

source="citsmart.log" AND ("LDAP" OR "authentication") AND ("*" OR "(" OR ")" OR "|" OR "&")

📊 Metadata

CVE ID: CVE-2020-35775

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

Published: February 15, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162181/CITSmart-ITSM-9.1.2.22-LDAP-Injection.html Third Party Advisory,VDB Entry
https://citsmart.com.br/solucoes/itsm-2/ Product,Vendor Advisory
https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html Release Notes,Vendor Advisory
https://github.com/nardnet/citsmart/blob/master/WEB-INF/src/br/com/centralit/citcorpore/integracao/ad/LDAPUtils.java Third Party Advisory
https://rdstation-static.s3.amazonaws.com/cms/files/86153/1597862259Ebook-Whatsnew-CITSmart.pdf Product
http://packetstormsecurity.com/files/162181/CITSmart-ITSM-9.1.2.22-LDAP-Injection.html Third Party Advisory,VDB Entry
https://citsmart.com.br/solucoes/itsm-2/ Product,Vendor Advisory
https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html Release Notes,Vendor Advisory
https://github.com/nardnet/citsmart/blob/master/WEB-INF/src/br/com/centralit/citcorpore/integracao/ad/LDAPUtils.java Third Party Advisory
https://rdstation-static.s3.amazonaws.com/cms/files/86153/1597862259Ebook-Whatsnew-CITSmart.pdf Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-35775, you might also want to check these: