CVE-2021-22532
📋 TL;DR
This vulnerability in OpenText eDirectory allows attackers to cause a denial of service via NLDAP requests. It affects eDirectory versions before 9.2.4.0000, potentially disrupting directory services for organizations using this software.
💻 Affected Systems
- OpenText eDirectory
📦 What is this software?
Edirectory by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of eDirectory, preventing authentication, authorization, and directory lookups across the organization.
Likely Case
Service degradation or temporary unavailability of eDirectory services until the service is restarted.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and block attack attempts.
🎯 Exploit Status
Exploitation requires knowledge of NLDAP protocol and ability to send crafted requests to the eDirectory service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.2.4.0000 or later
Vendor Advisory: https://www.netiq.com/documentation/edirectory-92/edirectory925_releasenotes/data/edirectory925_releasenotes.html
Restart Required: Yes
Instructions:
1. Download eDirectory 9.2.4.0000 or later from OpenText support portal. 2. Backup current eDirectory configuration and data. 3. Install the update following vendor documentation. 4. Restart eDirectory services.
🔧 Temporary Workarounds
Disable NLDAP
allDisable Novell LDAP (NLDAP) protocol if not required for your environment
ndsconfig set nldap.enable=off
ndsconfig set nldap.port=0
Network ACL Restriction
linuxRestrict access to eDirectory NLDAP port (default 524) to trusted networks only
iptables -A INPUT -p tcp --dport 524 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 524 -j DROP
🧯 If You Can't Patch
- Implement network segmentation to restrict access to eDirectory services
- Deploy rate limiting or DoS protection on network devices in front of eDirectory
🔍 How to Verify
Check if Vulnerable:
Check eDirectory version using 'ndsconfig get' and verify it's below 9.2.4.0000Check Version:
ndsconfig get | grep -i versionVerify Fix Applied:
Verify version is 9.2.4.0000 or higher using 'ndsconfig get' and test NLDAP connectivity📡 Detection & Monitoring
Log Indicators:
- Unusual NLDAP connection patterns
- Multiple failed NLDAP requests from single source
- eDirectory service restart events
Network Indicators:
- High volume of NLDAP traffic to port 524
- Unusual NLDAP packet patterns
SIEM Query:
source="edirectory.log" AND ("NLDAP" OR "port 524") AND (rate>1000 OR "connection refused")