Login Sign Up

CVE-2020-36223

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in OpenLDAP's slapd daemon allows attackers to trigger a crash through malformed Values Return Filter control requests, causing denial of service. The flaw involves double free and out-of-bounds read conditions that can be exploited remotely. Organizations running OpenLDAP servers are affected.

💻 Affected Systems

Products:
  • OpenLDAP
Versions: All versions before 2.4.57
Operating Systems: Linux, Unix, BSD, Windows (if running OpenLDAP)
Default Config Vulnerable: ⚠️ Yes
Notes: Affects slapd daemon when Values Return Filter control is enabled. Most OpenLDAP deployments use this control for enhanced search functionality.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Mac Os X by Apple

View all CVEs affecting Mac Os X →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of LDAP directory services, disrupting authentication, authorization, and directory lookups for dependent applications and users.

🟠

Likely Case

Service disruption requiring manual restart of slapd, potentially causing authentication failures and application downtime until service is restored.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and recovery from service interruptions.

🌐 Internet-Facing: HIGH - OpenLDAP servers exposed to the internet can be directly targeted by remote attackers without authentication.
🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this to disrupt directory services affecting internal applications.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept code has been published in security advisories. Exploitation requires sending specially crafted LDAP requests to the slapd service.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenLDAP 2.4.57 and later

Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9408

Restart Required: Yes

Instructions:

1. Download OpenLDAP 2.4.57 or later from openldap.org. 2. Stop slapd service. 3. Install updated version. 4. Restart slapd service. 5. Verify service is running and responding.

🔧 Temporary Workarounds

Disable Values Return Filter Control

linux

Temporarily disable the vulnerable control to prevent exploitation while planning upgrade.

Edit slapd.conf or slapd.d configuration and remove or comment out 'olcValuesReturnFilter' settings
Restart slapd: systemctl restart slapd

Network Access Control

linux

Restrict access to LDAP ports (389, 636) to trusted networks only.

iptables -A INPUT -p tcp --dport 389 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to limit LDAP access to essential systems only
  • Deploy intrusion detection systems to monitor for malformed LDAP requests and restart services automatically if crashes are detected

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version: slapd -VV 2>&1 | grep 'OpenLDAP' and compare to 2.4.57. Versions below 2.4.57 are vulnerable.

Check Version:

slapd -VV 2>&1 | grep 'OpenLDAP'

Verify Fix Applied:

After patching, verify version is 2.4.57 or higher and test LDAP functionality with standard queries.

📡 Detection & Monitoring

Log Indicators:

  • slapd crash logs in systemd journal or syslog
  • Unexpected slapd restarts
  • Error messages related to 'Values Return Filter' or memory corruption

Network Indicators:

  • Unusual LDAP request patterns from single sources
  • Multiple connection attempts followed by service unavailability

SIEM Query:

source="*slapd*" AND ("crash" OR "segmentation fault" OR "double free" OR "out-of-bounds")

📊 Metadata

CVE ID: CVE-2020-36223
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: January 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36223, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)