389 Directory Server NULL Pointer Dereference Vulnerability in Dereference Control Plugin

A NULL pointer dereference vulnerability has been identified in the dereference control plugin of 389 Directory Server. This issue arises because the plugin does not properly check for memory allocation failures before using a Basic Encoding Rules (BER) structure. As a result, an unauthenticated remote attacker can exploit this flaw to crash the LDAP server, particularly under conditions of memory pressure.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the LDAP server to crash. This was confirmed on Fedora 42 and CentOS 7.

Reproduction

The vulnerability can be reproduced by sending an LDAP search request that includes the dereference control. This can be done using an LDAP client that supports sending such controls. The dereference control plugin must be enabled, which is the default configuration. Under memory pressure, the server will crash, demonstrating the vulnerability.

Remediation

The dereference control plugin can be disabled using the 'dsconf' command, followed by a restart of the Directory Server instance. Additionally, disabling anonymous access can help raise the exploitation threshold from pre-authenticated to authenticated. It is also recommended to configure memory limits as a defense-in-depth strategy.