CVE-2021-33668 – CVE-2021-33668 is an LDAP injection vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-33668?

CVE-2021-33668 has a CVSS score of 7.5 (HIGH). CVE-2021-33668 is an LDAP injection vulnerability in SAP's SCIMono software that allows unauthenticated attackers to inject malicious LDAP queries. This could lead to partial information disclosure from LDAP directories. Organizations using affected versions of SCIMono are vulnerable.

📋 TL;DR

CVE-2021-33668 is an LDAP injection vulnerability in SAP's SCIMono software that allows unauthenticated attackers to inject malicious LDAP queries. This could lead to partial information disclosure from LDAP directories. Organizations using affected versions of SCIMono are vulnerable.

💻 Affected Systems

Products:

SAP SCIMono

Versions: Versions prior to 1.12.0

Operating Systems: All platforms running SCIMono

Default Config Vulnerable: ⚠️ Yes

Notes: Any SCIMono instance with LDAP integration is vulnerable in default configurations.

📦 What is this software?

Infrabox by Sap

View all CVEs affecting Infrabox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete LDAP directory enumeration leading to exposure of sensitive user data, organizational structure, and potentially credential harvesting.

🟠

Likely Case

Partial information disclosure from LDAP queries, potentially revealing user attributes, group memberships, or limited directory information.

🟢

If Mitigated

No impact if proper input validation and LDAP query sanitization are implemented.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

LDAP injection is a well-known attack vector with established exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.0 and later

Vendor Advisory: https://github.com/SAP/scimono/security/advisories/GHSA-wg9g-w4fg-3qqc

Restart Required: Yes

Instructions:

1. Upgrade SCIMono to version 1.12.0 or later. 2. Restart the SCIMono service. 3. Verify the upgrade was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement custom input validation to sanitize LDAP query parameters

Implement parameterized LDAP queries in application code

Network Segmentation

all

Restrict access to SCIMono instances to trusted networks only

Configure firewall rules to limit access to SCIMono ports

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block LDAP injection patterns
Disable or restrict LDAP functionality in SCIMono if not required

🔍 How to Verify

Check if Vulnerable:

Check SCIMono version - if below 1.12.0, the system is vulnerable

Check Version:

Check SCIMono application logs or configuration for version information

Verify Fix Applied:

Verify SCIMono version is 1.12.0 or higher and test LDAP query functionality

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP query patterns
Malformed LDAP requests
Failed authentication attempts with special characters

Network Indicators:

LDAP queries containing special characters like *, (, ), &, |, =, !

SIEM Query:

source="scimono" AND (message="*LDAP*" OR message="*query*") AND (message="*)*" OR message="*(*" OR message="*&*" OR message="*|*")

📊 Metadata

CVE ID: CVE-2021-33668

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-74

Published: June 9, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/SAP/scimono/security/advisories/GHSA-wg9g-w4fg-3qqc Broken Link
https://github.com/SAP/scimono/security/advisories/GHSA-wg9g-w4fg-3qqc Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33668, you might also want to check these: