CVE-2020-36221

7.5 HIGH

Denial of Service

📋 TL;DR

An integer underflow vulnerability in OpenLDAP's Certificate Exact Assertion processing can cause slapd to crash, leading to denial of service. This affects OpenLDAP servers processing certificate assertions. Attackers can trigger this remotely without authentication.

💻 Affected Systems

Products:

OpenLDAP

Versions: All versions before 2.4.57

Operating Systems: All platforms running OpenLDAP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when processing Certificate Exact Assertions, which may occur during TLS/SSL certificate validation.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of LDAP directory services, potentially affecting authentication, authorization, and directory lookups for dependent systems.

🟠

Likely Case

Service disruption causing authentication failures and application outages until slapd is restarted.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick service restoration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted certificate assertions to trigger the integer underflow.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.57 and later

Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9404

Restart Required: Yes

Instructions:

1. Download OpenLDAP 2.4.57 or later from openldap.org. 2. Stop slapd service. 3. Install updated version. 4. Restart slapd service.

🔧 Temporary Workarounds

Disable Certificate Exact Assertion Processing

all

Configure OpenLDAP to reject or ignore certificate exact assertions if not required.

# Add to slapd.conf or configure via cn=config:
# reject or ignore certificate exact assertions

Network Filtering

linux

Block or rate-limit LDAP requests containing certificate assertions at network perimeter.

# Example iptables rule (adjust ports):
# iptables -A INPUT -p tcp --dport 389 -m string --string "certificateExactAssertion" --algo bm -j DROP

🧯 If You Can't Patch

Implement strict network ACLs to limit LDAP access to trusted sources only.
Deploy load balancers with health checks to automatically restart failed slapd instances.

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version: slapd -VV 2>&1 | grep '^@' or check installed package version.

Check Version:

slapd -VV 2>&1 | grep '^@'

Verify Fix Applied:

Confirm version is 2.4.57 or later and test certificate assertion processing.

📡 Detection & Monitoring

Log Indicators:

slapd crash logs
segmentation fault errors in syslog
unexpected slapd restarts

Network Indicators:

LDAP requests with certificate exact assertions followed by service unavailability

SIEM Query:

source="syslog" AND ("slapd" AND ("segmentation fault" OR "crash" OR "restart"))

📊 Metadata

CVE ID: CVE-2020-36221

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-191

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9404 Issue Tracking,Vendor Advisory
https://bugs.openldap.org/show_bug.cgi?id=9424 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9404 Issue Tracking,Vendor Advisory
https://bugs.openldap.org/show_bug.cgi?id=9424 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/38ac838e4150c626bbfa0082b7e2cf3a2bb4df31 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/58c1748e81c843c5b6e61648d2a4d1d82b47e842 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory