CVE-2022-0918
📋 TL;DR
CVE-2022-0918 is a critical vulnerability in 389 Directory Server that allows unauthenticated attackers to crash the LDAP service by sending a specially crafted TCP message. This affects all organizations running vulnerable versions of 389 Directory Server with LDAP ports exposed. The attack requires no authentication and can be executed remotely.
💻 Affected Systems
- 389 Directory Server
- Red Hat Directory Server
- Fedora Directory Server
📦 What is this software?
389 Ds Base by Port389
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of LDAP directory services, disrupting authentication, authorization, and directory lookups for all dependent systems and applications.
Likely Case
Service disruption causing authentication failures, application outages, and operational impact until service is restarted.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external exploitation.
🎯 Exploit Status
Exploit requires sending a single malformed TCP packet to the LDAP port. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 389-ds-base-1.4.3.29, 389-ds-base-2.0.11-4, or 389-ds-base-2.1.3-5 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2022-0918
Restart Required: Yes
Instructions:
1. Update 389-ds-base package using your distribution's package manager. 2. For RHEL: 'yum update 389-ds-base'. 3. For Debian/Ubuntu: 'apt update && apt upgrade 389-ds-base'. 4. Restart slapd service: 'systemctl restart dirsrv@instance-name'. 5. Verify service is running and accessible.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to LDAP ports (389, 636) using firewall rules to only trusted sources.
iptables -A INPUT -p tcp --dport 389 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
Load Balancer Protection
allConfigure load balancers or network devices to filter malformed LDAP traffic before reaching directory servers.
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit LDAP port access to essential systems only.
- Deploy intrusion prevention systems (IPS) or web application firewalls (WAF) with rules to detect and block exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check 389-ds-base version: 'rpm -q 389-ds-base' or 'dpkg -l | grep 389-ds-base'. If version is below patched versions, system is vulnerable.Check Version:
rpm -q 389-ds-base || dpkg -l | grep 389-ds-baseVerify Fix Applied:
Verify updated version: 'rpm -q 389-ds-base' should show patched version. Test LDAP service functionality after restart.📡 Detection & Monitoring
Log Indicators:
- slapd segmentation fault messages in system logs
- slapd process crashes in /var/log/messages or /var/log/syslog
- Unexpected slapd service restarts
Network Indicators:
- Single TCP packets to LDAP port followed by service unavailability
- Connection attempts from unusual sources to LDAP port 389
SIEM Query:
source="*syslog*" AND ("segmentation fault" OR "slapd" AND "crash") OR destination_port=389 AND bytes_sent<100🔗 References
- https://access.redhat.com/security/cve/CVE-2022-0918
- https://bugzilla.redhat.com/show_bug.cgi?id=2055815
- https://github.com/389ds/389-ds-base/issues/5242
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://access.redhat.com/security/cve/CVE-2022-0918
- https://bugzilla.redhat.com/show_bug.cgi?id=2055815
- https://github.com/389ds/389-ds-base/issues/5242
- https://lists.debian.org/debian-lts-announce/2023/04/msg00026.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html
