Login Sign Up

CVE-2021-27212

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in OpenLDAP allows remote attackers to cause a denial of service by sending a specially crafted packet with a short timestamp, triggering an assertion failure that crashes the slapd daemon. It affects OpenLDAP servers running vulnerable versions, potentially disrupting directory services. The attack requires network access to the LDAP service port.

💻 Affected Systems

Products:
  • OpenLDAP
Versions: OpenLDAP 2.4.x through 2.4.57 and 2.5.x through 2.5.1alpha
Operating Systems: All operating systems running vulnerable OpenLDAP versions
Default Config Vulnerable: ⚠️ Yes
Notes: All OpenLDAP installations with slapd running are vulnerable regardless of configuration. The vulnerability is in core schema validation code.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Openldap by Openldap

View all CVEs affecting Openldap →

Openldap by Openldap

View all CVEs affecting Openldap →

Openldap by Openldap

View all CVEs affecting Openldap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of LDAP directory services, disrupting authentication, authorization, and directory lookups for all dependent applications and users.

🟠

Likely Case

Intermittent slapd daemon crashes requiring manual restart, causing temporary authentication failures and service disruptions.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring allowing quick detection and restart of affected services.

🌐 Internet-Facing: HIGH - Directly exploitable via network packets to LDAP port (389/636), no authentication required.
🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised systems, but requires network access to LDAP service.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is triggered by sending malformed LDAP packets with short timestamps. Proof of concept details are available in the bug report and commit references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenLDAP 2.4.58 and 2.5.2 or later

Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9454

Restart Required: Yes

Instructions:

1. Download and install OpenLDAP 2.4.58+ or 2.5.2+ from openldap.org. 2. Stop slapd service. 3. Install updated packages. 4. Restart slapd service. 5. Verify service is running and responding.

🔧 Temporary Workarounds

Network Access Control

linux

Restrict network access to LDAP ports (389/636) to only trusted sources using firewall rules.

iptables -A INPUT -p tcp --dport 389 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP

Service Monitoring and Auto-restart

linux

Configure monitoring to detect slapd crashes and automatically restart the service.

systemctl enable slapd
systemctl edit slapd (add Restart=always)

🧯 If You Can't Patch

  • Implement strict network segmentation to limit LDAP access to only required systems
  • Deploy intrusion detection systems to monitor for malformed LDAP packets and alert on crash events

🔍 How to Verify

Check if Vulnerable:

Check OpenLDAP version: slapd -VV 2>&1 | grep -i 'openldap' and compare against affected versions (2.4.0-2.4.57, 2.5.0-2.5.1alpha)

Check Version:

slapd -VV 2>&1 | grep -i 'openldap' || ldapsearch -x -H ldap://localhost -b '' -s base 'objectclass=*' vendorVersion

Verify Fix Applied:

Verify version is 2.4.58+ or 2.5.2+: slapd -VV 2>&1 | grep -i 'openldap' and check service is running: systemctl status slapd

📡 Detection & Monitoring

Log Indicators:

  • slapd daemon crash/restart messages in syslog
  • Assertion failed messages related to issuerAndThisUpdateCheck or schema_init.c
  • Unexpected slapd process termination

Network Indicators:

  • Malformed LDAP packets with short timestamp fields
  • Multiple connection attempts to LDAP port followed by service unavailability

SIEM Query:

source="syslog" AND (process="slapd" AND (event="crash" OR event="terminated" OR message="assertion fail*"))

📊 Metadata

CVE ID: CVE-2021-27212
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-617
Published: February 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27212, you might also want to check these:

CVE-2023-37015 8.6

This vulnerability allows remote attackers to cause denial of service by sending malformed ASN.1 pac...

Same vulnerability type (CWE-617)
CVE-2023-37016 8.6

CVE-2023-37016 is a remotely triggerable assertion vulnerability in Open5GS MME that allows denial o...

Same vulnerability type (CWE-617)
CVE-2023-37017 8.6

Open5GS MME versions up to 2.6.4 contain a remotely triggerable assertion via malformed ASN.1 packet...

Same vulnerability type (CWE-617)