CVE-2021-4091
📋 TL;DR
CVE-2021-4091 is a double-free vulnerability in 389 Directory Server's handling of virtual attributes during persistent searches. An attacker can send crafted search requests to cause the directory server to crash, resulting in denial of service. This affects organizations running 389 Directory Server with persistent search functionality enabled.
💻 Affected Systems
- 389 Directory Server
- Red Hat Directory Server
- FreeIPA
📦 What is this software?
389 Ds Base by Port389
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Power Big Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Big Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
⚠️ Risk & Real-World Impact
Worst Case
Complete directory service outage through denial of service, potentially disrupting authentication, authorization, and other LDAP-dependent services across the organization.
Likely Case
Directory server crash requiring manual restart, causing temporary authentication and directory service disruption.
If Mitigated
Minimal impact with proper network segmentation, rate limiting, and monitoring that can detect and block attack attempts.
🎯 Exploit Status
Exploitation requires LDAP access and knowledge of persistent search operations. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 389-ds-base-1.4.4.13, 389-ds-base-2.0.15, or 389-ds-base-2.1.2 and later
Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2030307
Restart Required: Yes
Instructions:
1. Update 389-ds-base package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update 389-ds-base'. 3. For Debian/Ubuntu: 'apt update && apt upgrade 389-ds-base'. 4. Restart the directory server service: 'systemctl restart dirsrv@instance-name'.
🔧 Temporary Workarounds
Disable Persistent Searches
linuxTemporarily disable persistent search functionality to prevent exploitation while patching.
Modify cn=config,cn=ldbm database,cn=plugins,cn=config to set nsslapd-psearch-enabled: off
Restart directory server: systemctl restart dirsrv@instance-name
Network Access Control
linuxRestrict LDAP access to trusted networks and implement firewall rules to limit connection sources.
iptables -A INPUT -p tcp --dport 389 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to limit LDAP access to only required systems
- Deploy rate limiting and connection throttling on LDAP services
🔍 How to Verify
Check if Vulnerable:
Check installed 389-ds-base version: 'rpm -q 389-ds-base' or 'dpkg -l | grep 389-ds-base'. Compare against patched versions.Check Version:
rpm -q 389-ds-base || dpkg -l | grep 389-ds-baseVerify Fix Applied:
Verify updated version is installed and directory server is running without crashes after applying search load.📡 Detection & Monitoring
Log Indicators:
- Multiple persistent search requests from single source
- Directory server crash logs with memory corruption errors
- Abnormal termination of ns-slapd process
Network Indicators:
- High volume of LDAP search requests to port 389/636
- Pattern of persistent search operations from unusual sources
SIEM Query:
source="directory_server.log" AND ("persistent search" OR "virtual attribute") AND ("crash" OR "segmentation fault" OR "double free")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2030307
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2030307
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html
