CVE-2021-33900
📋 TL;DR
Apache Directory Studio versions 2.0.0.v20210213-M16 and earlier fail to apply StartTLS encryption when using SASL authentication mechanisms (DIGEST-MD5, GSSAPI) and don't apply configured SASL confidentiality layers. This allows attackers to intercept and read sensitive authentication data and directory communications. Users of affected Apache Directory Studio versions are vulnerable.
💻 Affected Systems
- Apache Directory Studio
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept unencrypted LDAP authentication credentials and directory data, leading to credential theft, data exposure, and potential lateral movement within the network.
Likely Case
Authentication credentials and directory queries/responses transmitted in cleartext, enabling credential harvesting and data interception.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential credential exposure without direct system compromise.
🎯 Exploit Status
Exploitation requires network access to intercept communications between Directory Studio and LDAP server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.0.0.v20210213-M16
Vendor Advisory: https://lists.apache.org/thread.html/rb1dbcc43a5b406e45d335343a1704f4233de613140a01929d102fdc9%40%3Cusers.directory.apache.org%3E
Restart Required: Yes
Instructions:
1. Download latest Apache Directory Studio from official website
2. Uninstall old version
3. Install new version
4. Restart system
🔧 Temporary Workarounds
Disable SASL Authentication
allUse simple authentication instead of SASL mechanisms to avoid the vulnerability
Configure LDAP connections to use simple bind instead of SASL DIGEST-MD5 or GSSAPI
Use LDAPS Instead of StartTLS
allConfigure connections to use LDAPS (LDAP over SSL) on port 636 instead of StartTLS
Change connection settings to use ldaps:// instead of ldap:// with port 636
🧯 If You Can't Patch
- Isolate Directory Studio usage to trusted networks only
- Implement network monitoring for cleartext LDAP traffic on port 389
🔍 How to Verify
Check if Vulnerable:
Check Help > About Apache Directory Studio for version number. If version is 2.0.0.v20210213-M16 or earlier, you are vulnerable.Check Version:
In Directory Studio: Help > About Apache Directory StudioVerify Fix Applied:
After updating, verify version is newer than 2.0.0.v20210213-M16 in Help > About.📡 Detection & Monitoring
Log Indicators:
- Cleartext LDAP authentication attempts
- SASL authentication failures
Network Indicators:
- Cleartext LDAP traffic on port 389 when SASL is configured
- Missing TLS handshakes after SASL authentication
SIEM Query:
source_port:389 AND protocol:ldap AND NOT tls_handshake