CVE-2024-6237 – CVE-2024-6237 is a denial-of-service vulnerabil... (How to Fix)

Q: What is the severity of CVE-2024-6237?

CVE-2024-6237 has a CVSS score of 6.5 (MEDIUM). CVE-2024-6237 is a denial-of-service vulnerability in 389 Directory Server where an unauthenticated attacker can crash the server by sending a specific extended search request. This affects organizations running vulnerable versions of 389 Directory Server, potentially disrupting LDAP directory services.

📋 TL;DR

CVE-2024-6237 is a denial-of-service vulnerability in 389 Directory Server where an unauthenticated attacker can crash the server by sending a specific extended search request. This affects organizations running vulnerable versions of 389 Directory Server, potentially disrupting LDAP directory services.

💻 Affected Systems

Products:

389 Directory Server

Versions: Versions prior to 2.4.5

Operating Systems: Linux distributions including RHEL, CentOS, Fedora

Default Config Vulnerable: ⚠️ Yes

Notes: All standard installations with extended search operations enabled are vulnerable. The vulnerability is in the core search functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of directory services, disrupting authentication, authorization, and other LDAP-dependent applications across the organization.

🟠

Likely Case

Temporary service disruption requiring server restart, causing authentication failures and application downtime until service is restored.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls preventing unauthenticated access to LDAP services.

🌐 Internet-Facing: HIGH - Unauthenticated attackers can exploit this remotely without any credentials, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but requires network access to the LDAP service.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending a specific extended search request, which is straightforward to craft. No authentication is required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 389-ds-base 2.4.5 or later

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4997

Restart Required: Yes

Instructions:

1. Update 389-ds-base package to version 2.4.5 or later using your package manager. 2. Restart the 389 Directory Server service. 3. Verify the service is running correctly after restart.

🔧 Temporary Workarounds

Restrict Extended Search Operations

linux

Disable or restrict extended search operations if not required for your environment

# Modify slapd.conf or cn=config to restrict extended operations
# Set 'olcRequires: authc' for extended operation controls

Network Access Controls

linux

Implement firewall rules to restrict access to LDAP ports (389, 636) to trusted networks only

# Example iptables rule: iptables -A INPUT -p tcp --dport 389 -s trusted_network -j ACCEPT
# iptables -A INPUT -p tcp --dport 389 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit LDAP access to authorized clients only
Deploy intrusion detection/prevention systems to monitor for anomalous LDAP search patterns

🔍 How to Verify

Check if Vulnerable:

Check 389-ds-base package version: rpm -q 389-ds-base

Check Version:

rpm -q 389-ds-base

Verify Fix Applied:

Verify package version is 2.4.5 or later and service is running: systemctl status dirsrv@instance-name

📡 Detection & Monitoring

Log Indicators:

Server crash logs in /var/log/dirsrv/slapd-instance/errors
Abnormal termination of slapd process
Multiple failed connection attempts followed by service stop

Network Indicators:

Unusual LDAP extended search requests from unauthenticated sources
Spike in LDAP traffic followed by service unavailability

SIEM Query:

source="*/dirsrv/*/errors" AND ("crash" OR "segmentation fault" OR "abnormal termination")

📊 Metadata

CVE ID: CVE-2024-6237

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-230

Published: July 9, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2024:4997
https://access.redhat.com/errata/RHSA-2024:5192
https://access.redhat.com/security/cve/CVE-2024-6237 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2293579 Issue Tracking
https://github.com/389ds/389-ds-base/issues/5989 Issue Tracking
https://access.redhat.com/security/cve/CVE-2024-6237 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2293579 Issue Tracking
https://github.com/389ds/389-ds-base/issues/5989 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6237, you might also want to check these: