CVE-2020-36225 – This vulnerability in OpenLDAP allows attackers... (How to Fix)

Q: What is the severity of CVE-2020-36225?

CVE-2020-36225 has a CVSS score of 7.5 (HIGH). This vulnerability in OpenLDAP allows attackers to cause a double-free memory corruption in the slapd daemon's saslAuthzTo processing, leading to a crash and denial of service. It affects OpenLDAP servers with SASL authorization enabled. The flaw can be exploited by authenticated users with access to the LDAP service.

📋 TL;DR

This vulnerability in OpenLDAP allows attackers to cause a double-free memory corruption in the slapd daemon's saslAuthzTo processing, leading to a crash and denial of service. It affects OpenLDAP servers with SASL authorization enabled. The flaw can be exploited by authenticated users with access to the LDAP service.

💻 Affected Systems

Products:

OpenLDAP

Versions: All versions before 2.4.57

Operating Systems: All operating systems running vulnerable OpenLDAP versions

Default Config Vulnerable: ✅ No

Notes: Only affects configurations with SASL authorization enabled (saslAuthzTo processing). Basic LDAP authentication without SASL is not vulnerable.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for the OpenLDAP service, potentially disrupting authentication and directory services for all dependent applications.

🟠

Likely Case

Service disruption causing authentication failures and directory lookup issues until the slapd daemon is restarted.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring to detect and respond to service crashes quickly.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing LDAP servers are attractive targets for DoS attacks.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could disrupt critical directory services affecting many systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the LDAP service. The vulnerability details and proof-of-concept are publicly available in the referenced disclosures.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenLDAP 2.4.57 and later

Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9412

Restart Required: Yes

Instructions:

1. Download OpenLDAP 2.4.57 or later from openldap.org. 2. Stop the slapd service. 3. Install the updated version following your distribution's package management or compile from source. 4. Restart the slapd service.

🔧 Temporary Workarounds

Disable SASL Authorization

all

Temporarily disable SASL authorization processing if not required

Modify slapd.conf or dynamic configuration to remove or comment out saslAuthzTo directives

Restrict Access

all

Limit LDAP access to trusted networks and users only

Configure firewall rules to restrict access to slapd port (default 389/636)
Use LDAP access controls to limit which users can perform operations

🧯 If You Can't Patch

Implement network segmentation to isolate OpenLDAP servers from untrusted networks
Deploy monitoring to detect and alert on slapd service crashes for rapid response

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version and verify SASL authorization is enabled: 'slapd -V' and review configuration for saslAuthzTo directives

Check Version:

slapd -V 2>&1 | head -1

Verify Fix Applied:

Confirm version is 2.4.57 or later: 'slapd -V | grep "2\.4\."' should show 2.4.57+

📡 Detection & Monitoring

Log Indicators:

slapd crash logs
segmentation fault errors in system logs
unexpected slapd service restarts

Network Indicators:

LDAP connection attempts followed by service unavailability
Increased authentication failures from dependent services

SIEM Query:

source="*syslog*" AND ("slapd" AND ("segmentation fault" OR "crash" OR "double free"))

📊 Metadata

CVE ID: CVE-2020-36225

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-415

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9412 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/554dff1927176579d652f2fe60c90e9abbad4c65 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/c0b61a9486508e5202aa2e0cfb68c9813731b439 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9412 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/554dff1927176579d652f2fe60c90e9abbad4c65 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/5a2017d4e61a6ddc4dcb4415028e0d08eb6bca26 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/c0b61a9486508e5202aa2e0cfb68c9813731b439 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/d169e7958a3e0dc70f59c8374bf8a59833b7bdd8 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36225, you might also want to check these: