CVE-2021-3480
📋 TL;DR
CVE-2021-3480 is a NULL pointer dereference vulnerability in slapi-nis that allows unauthenticated attackers to crash the 389-ds-base directory server by sending specially crafted Binding DN requests. This affects systems running 389 Directory Server versions before 0.56.7. The primary impact is denial of service through service crashes.
💻 Affected Systems
- 389 Directory Server
- slapi-nis
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Slapi Nis by Slapi Nis Project
⚠️ Risk & Real-World Impact
Worst Case
Sustained denial of service attacks could render directory services completely unavailable, disrupting authentication, authorization, and directory lookups for dependent applications.
Likely Case
Intermittent service crashes causing directory service outages and authentication failures for users and applications.
If Mitigated
With proper network segmentation and access controls, only authorized clients could trigger the crash, reducing attack surface.
🎯 Exploit Status
The vulnerability requires sending specially crafted LDAP requests but does not require authentication. Crash conditions are relatively easy to trigger.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: slapi-nis 0.56.7 or later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1944640
Restart Required: Yes
Instructions:
1. Update slapi-nis package to version 0.56.7 or later using your distribution's package manager. 2. Restart the 389-ds-base directory server service. 3. For RHEL/CentOS: 'yum update slapi-nis' then 'systemctl restart dirsrv@instance-name'. 4. For Fedora: 'dnf update slapi-nis' then restart directory server.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to LDAP ports (389, 636) to trusted networks only using firewall rules.
iptables -A INPUT -p tcp --dport 389 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
Load Balancer Filtering
allConfigure load balancers or reverse proxies to filter suspicious LDAP requests before they reach directory servers.
🧯 If You Can't Patch
- Implement strict network segmentation to limit LDAP access to authorized clients only
- Deploy intrusion detection/prevention systems to monitor for crash attempts and block malicious traffic
🔍 How to Verify
Check if Vulnerable:
Check slapi-nis package version: 'rpm -q slapi-nis' or 'dnf list installed slapi-nis'. If version is earlier than 0.56.7, system is vulnerable.Check Version:
rpm -q slapi-nisVerify Fix Applied:
Verify slapi-nis version is 0.56.7 or later: 'rpm -q slapi-nis | grep 0.56.7'. Test directory server functionality after restart.📡 Detection & Monitoring
Log Indicators:
- Directory server crash logs
- Segmentation fault errors in system logs
- Unexpected service restarts
- LDAP connection failures following crash
Network Indicators:
- Multiple LDAP connections causing crashes
- Unusual LDAP request patterns from single sources
- Traffic spikes to LDAP ports followed by service unavailability
SIEM Query:
source="directory-server.log" AND ("segmentation fault" OR "NULL pointer" OR "crash" OR "abort")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=1944640
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVQCDRQRFHXVR3Z3FQYM3UMC7QZUDDRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXMOMPTZTGOVFOZUUNXHOVCAYIPST74W/
- https://bugzilla.redhat.com/show_bug.cgi?id=1944640
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GVQCDRQRFHXVR3Z3FQYM3UMC7QZUDDRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MXMOMPTZTGOVFOZUUNXHOVCAYIPST74W/
