Login Sign Up

CVE-2024-5953

5.7 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in the 389-ds-base LDAP server allows authenticated users to cause a denial of service by attempting to log in with a user account containing a malformed password hash. It affects LDAP servers running vulnerable versions of 389-ds-base. The impact is limited to availability disruption rather than data compromise.

💻 Affected Systems

Products:
  • 389-ds-base
Versions: Versions before the patched releases specified in Red Hat advisories
Operating Systems: Red Hat Enterprise Linux, CentOS, Fedora, Other Linux distributions using 389-ds-base
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where 389-ds-base is configured as an LDAP server with user authentication enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete LDAP server crash, disrupting authentication and directory services for all users and applications dependent on the LDAP infrastructure.

🟠

Likely Case

Temporary service interruption affecting authentication and directory lookups until the server restarts or recovers.

🟢

If Mitigated

Minimal impact with proper monitoring and rapid restart capabilities; authentication failures logged but service remains available.

🌐 Internet-Facing: MEDIUM - While exploitation requires authentication, internet-facing LDAP servers could be targeted by attackers with compromised credentials.
🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could disrupt critical authentication services affecting business operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid user credentials and knowledge of how to create malformed password hashes. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific Red Hat advisories for version numbers (e.g., 389-ds-base-1.4.3.30-1.el8_9)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4633

Restart Required: Yes

Instructions:

1. Update 389-ds-base package using your distribution's package manager. 2. For RHEL/CentOS: 'yum update 389-ds-base'. 3. Restart the 389-ds service: 'systemctl restart dirsrv@instance-name'. 4. Verify the service is running properly.

🔧 Temporary Workarounds

Restrict Authentication Access

linux

Limit which users can authenticate to the LDAP server using access controls or firewall rules.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP_RANGE" port protocol="tcp" port="389" accept'
firewall-cmd --reload

🧯 If You Can't Patch

  • Implement strict monitoring and alerting for LDAP service crashes with automated restart capabilities.
  • Enforce strong password policies and regular credential rotation to reduce risk of credential compromise.

🔍 How to Verify

Check if Vulnerable:

Check 389-ds-base version: 'rpm -q 389-ds-base' and compare against patched versions in Red Hat advisories.

Check Version:

rpm -q 389-ds-base

Verify Fix Applied:

Verify updated version: 'rpm -q 389-ds-base' shows patched version. Test LDAP authentication functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected LDAP server crashes or restarts in system logs
  • Authentication failures for users with malformed password entries in 389-ds logs

Network Indicators:

  • Sudden drop in LDAP traffic followed by service restart patterns

SIEM Query:

source="*ldap*" OR source="*389*" ("crash" OR "restart" OR "segfault") AND "authentication"

📊 Metadata

CVE ID: CVE-2024-5953
CVSS v3 Score: 5.7 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1288
Published: June 18, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5953, you might also want to check these:

CVE-2022-50976 7.7

This vulnerability allows a local attacker with physical USB access to cause a full device reset by ...

Same vulnerability type (CWE-1288)
CVE-2021-41531 7.5

Routinator versions before 0.10.0 produce invalid RTR payloads when processing ROAs with excessively...

Same vulnerability type (CWE-1288)
CVE-2024-31136 7.4

This vulnerability allows attackers to bypass two-factor authentication (2FA) in JetBrains TeamCity ...

Same vulnerability type (CWE-1288)