CVE-2024-3657
📋 TL;DR
A vulnerability in 389-ds-base allows attackers to cause denial of service through specially crafted LDAP queries. This affects systems running vulnerable versions of the 389 Directory Server, potentially disrupting directory services and authentication.
💻 Affected Systems
- 389-ds-base
- Red Hat Directory Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete directory server crash leading to authentication failures, service disruption, and potential cascading failures in dependent systems.
Likely Case
Temporary service interruption requiring server restart, impacting LDAP-dependent applications and user authentication.
If Mitigated
Minimal impact with proper network segmentation and query filtering in place.
🎯 Exploit Status
Requires LDAP query access; authenticated users or network access to LDAP port needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for version numbers
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3591
Restart Required: Yes
Instructions:
1. Update 389-ds-base package using yum update 2. Restart directory server service 3. Verify service is running
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict LDAP access to trusted sources only
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="389" accept'
firewall-cmd --reload
Query Rate Limiting
allImplement rate limiting on LDAP queries
Configure in 389-ds slapd.conf or cn=config
🧯 If You Can't Patch
- Implement strict network segmentation and firewall rules to limit LDAP access
- Monitor LDAP query patterns and set up alerts for unusual activity
🔍 How to Verify
Check if Vulnerable:
Check 389-ds-base package version against Red Hat advisoriesCheck Version:
rpm -q 389-ds-baseVerify Fix Applied:
Verify package version is updated and service is running📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP query patterns
- Server crash/restart logs
- High error rates in access logs
Network Indicators:
- Unusual LDAP traffic patterns
- Multiple malformed queries from single source
SIEM Query:
source="ldap" AND (error OR crash OR restart)🔗 References
- https://access.redhat.com/errata/RHSA-2024:3591
- https://access.redhat.com/errata/RHSA-2024:3837
- https://access.redhat.com/errata/RHSA-2024:4092
- https://access.redhat.com/errata/RHSA-2024:4209
- https://access.redhat.com/errata/RHSA-2024:4210
- https://access.redhat.com/errata/RHSA-2024:4235
- https://access.redhat.com/errata/RHSA-2024:4633
- https://access.redhat.com/errata/RHSA-2024:5690
- https://access.redhat.com/errata/RHSA-2024:6576
- https://access.redhat.com/errata/RHSA-2024:7458
- https://access.redhat.com/errata/RHSA-2025:1632
- https://access.redhat.com/security/cve/CVE-2024-3657
- https://bugzilla.redhat.com/show_bug.cgi?id=2274401
- https://access.redhat.com/errata/RHSA-2024:3591
- https://access.redhat.com/errata/RHSA-2024:3837
- https://access.redhat.com/errata/RHSA-2024:4092
- https://access.redhat.com/errata/RHSA-2024:4209
- https://access.redhat.com/errata/RHSA-2024:4210
- https://access.redhat.com/errata/RHSA-2024:4235
- https://access.redhat.com/errata/RHSA-2024:4633
- https://access.redhat.com/security/cve/CVE-2024-3657
- https://bugzilla.redhat.com/show_bug.cgi?id=2274401
- https://lists.debian.org/debian-lts-announce/2025/01/msg00015.html
