CVE-2022-29155
📋 TL;DR
This CVE describes a SQL injection vulnerability in OpenLDAP's experimental back-sql backend. Attackers can execute arbitrary SQL commands via specially crafted LDAP search filters, potentially compromising the database. Only systems using the experimental back-sql backend are affected.
💻 Affected Systems
- OpenLDAP
📦 What is this software?
Openldap by Openldap
Openldap by Openldap
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise allowing data theft, modification, or deletion; potential privilege escalation to underlying database server; complete system takeover if database has elevated privileges.
Likely Case
Unauthorized data access and extraction from the SQL database backend; potential data manipulation or deletion in affected tables.
If Mitigated
Limited impact due to restricted database permissions; only data accessible to the OpenLDAP service account is exposed.
🎯 Exploit Status
SQL injection via LDAP search filters is straightforward for attackers familiar with both LDAP and SQL. Public exploit details are available in bug reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenLDAP 2.5.12 or 2.6.2
Vendor Advisory: https://bugs.openldap.org/show_bug.cgi?id=9815
Restart Required: Yes
Instructions:
1. Update OpenLDAP to version 2.5.12 or 2.6.2. 2. Stop slapd service. 3. Install updated packages. 4. Restart slapd service. 5. Verify version with 'slapd -V'.
🔧 Temporary Workarounds
Disable back-sql backend
allRemove or disable the experimental back-sql backend if not required
Comment out or remove back-sql configuration in slapd.conf or slapd.d
Restrict LDAP search permissions
allLimit which users can perform LDAP search operations
Configure access controls in slapd to restrict search operations
🧯 If You Can't Patch
- Disable the experimental back-sql backend entirely
- Implement network segmentation to isolate OpenLDAP servers from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if back-sql backend is configured and OpenLDAP version is below 2.5.12 or 2.6.2Check Version:
slapd -V 2>/dev/null | grep -i 'openldap' || ldapsearch -x -H ldap://localhost -b '' -s base 'objectClass=*' vendorVersion 2>/dev/nullVerify Fix Applied:
Verify OpenLDAP version is 2.5.12 or higher (2.x) or 2.6.2 or higher (2.6.x)📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP search patterns with SQL-like syntax
- Multiple failed search attempts with complex filters
- Unexpected database errors in OpenLDAP logs
Network Indicators:
- LDAP search requests containing SQL keywords or special characters
- Unusual traffic patterns to OpenLDAP port 389
SIEM Query:
source="openldap.log" AND ("sql" OR "select" OR "insert" OR "update" OR "delete") AND event="search"🔗 References
- https://bugs.openldap.org/show_bug.cgi?id=9815
- https://lists.debian.org/debian-lts-announce/2022/05/msg00032.html
- https://security.netapp.com/advisory/ntap-20220609-0007/
- https://www.debian.org/security/2022/dsa-5140
- https://bugs.openldap.org/show_bug.cgi?id=9815
- https://lists.debian.org/debian-lts-announce/2022/05/msg00032.html
- https://security.netapp.com/advisory/ntap-20220609-0007/
- https://www.debian.org/security/2022/dsa-5140
