CVE-2020-36227 – This vulnerability in OpenLDAP allows attackers... (How to Fix)

Q: What is the severity of CVE-2020-36227?

CVE-2020-36227 has a CVSS score of 7.5 (HIGH). This vulnerability in OpenLDAP allows attackers to trigger an infinite loop in the slapd daemon by sending a specially crafted cancel_extop Cancel operation, causing a denial of service. It affects OpenLDAP servers running vulnerable versions, potentially disrupting directory services.

📋 TL;DR

This vulnerability in OpenLDAP allows attackers to trigger an infinite loop in the slapd daemon by sending a specially crafted cancel_extop Cancel operation, causing a denial of service. It affects OpenLDAP servers running vulnerable versions, potentially disrupting directory services.

💻 Affected Systems

Products:

OpenLDAP

Versions: All versions before 2.4.57

Operating Systems: All operating systems running OpenLDAP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects slapd daemon when cancel_extop operation is enabled (default configuration).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete unavailability of LDAP directory services, disrupting authentication, authorization, and other directory-dependent services across the organization.

🟠

Likely Case

Service disruption of OpenLDAP servers requiring restart, causing temporary authentication failures for users and applications.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and response.

🌐 Internet-Facing: HIGH - Internet-facing OpenLDAP servers are directly exposed to exploitation attempts.

🏢 Internal Only: MEDIUM - Internal servers are still vulnerable to internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending a malformed cancel_extop Cancel operation to the slapd daemon.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenLDAP 2.4.57 and later

Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9428

Restart Required: Yes

Instructions:

1. Download OpenLDAP 2.4.57 or later from openldap.org. 2. Stop slapd service. 3. Install updated version. 4. Restart slapd service.

🔧 Temporary Workarounds

Disable cancel_extop operation

all

Remove or disable the cancel_extop operation in slapd configuration to prevent exploitation.

Edit slapd.conf or dynamic configuration to remove cancel_extop support

Network filtering

all

Block cancel_extop operations at network perimeter or load balancer.

Configure firewall/IPS to drop packets containing cancel_extop operations

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach OpenLDAP servers.
Deploy monitoring and alerting for slapd process crashes or high CPU usage.

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version: slapd -V 2>&1 | grep 'OpenLDAP' and compare to 2.4.57.

Check Version:

slapd -V 2>&1 | grep 'OpenLDAP'

Verify Fix Applied:

Confirm version is 2.4.57 or later and test cancel_extop operations do not cause infinite loops.

📡 Detection & Monitoring

Log Indicators:

slapd process consuming 100% CPU
slapd crash logs
repeated cancel_extop operation attempts

Network Indicators:

Unusual volume of cancel_extop operations to LDAP ports

SIEM Query:

source="slapd.log" AND ("cancel_extop" OR "high cpu" OR "crash")

📊 Metadata

CVE ID: CVE-2020-36227

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: January 26, 2021

Last Updated: November 21, 2024

🔗 References

http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9428 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/9d0e8485f3113505743baabf1167e01e4558ccf5 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/64 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/65 Mailing List,Third Party Advisory
http://seclists.org/fulldisclosure/2021/May/70 Mailing List,Third Party Advisory
https://bugs.openldap.org/show_bug.cgi?id=9428 Issue Tracking,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/commit/9d0e8485f3113505743baabf1167e01e4558ccf5 Patch,Vendor Advisory
https://git.openldap.org/openldap/openldap/-/tags/OPENLDAP_REL_ENG_2_4_57 Release Notes,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/02/msg00005.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210226-0002/ Third Party Advisory
https://support.apple.com/kb/HT212529 Third Party Advisory
https://support.apple.com/kb/HT212530 Third Party Advisory
https://support.apple.com/kb/HT212531 Third Party Advisory
https://www.debian.org/security/2021/dsa-4845 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36227, you might also want to check these: