389 Directory Server Unauthenticated DoS Vulnerability via Unbounded LDAP Controls

A denial-of-service vulnerability has been identified in 389 Directory Server versions 11, 12, 13, and in Red Hat Enterprise Linux 10, 7, 8, and 9. The issue arises in the LDAP server's 'get_ldapmessage_controls_ext()' function, which fails to limit the number of controls per LDAP message. This flaw allows a remote, unauthenticated attacker to send a crafted LDAP request with hundreds of thousands of minimal controls, within the default maximum BER message size of 2 MB. The exploitation causes excessive CPU usage and memory allocation on the server. When exploited concurrently, it leads to significant latency, worker thread starvation, or out-of-memory conditions, causing a denial-of-service.

Impact

Exploitation of this vulnerability causes high CPU and memory consumption, leading to worker thread starvation and out-of-memory conditions, which degrade or disrupt directory service availability.

Reproduction

The vulnerability can be reproduced by sending an LDAP request through the LDAP port (389/tcp or 636/tcp) that includes an excessive number of minimal non-critical controls, up to hundreds of thousands, within the default maximum BER message size of 2 MB. This can be done using an LDAP client that allows the manipulation of control fields in the request. The 'Bind' operation can be used to trigger the vulnerability, as the control parsing occurs during the processing of Bind requests, before authentication.

Remediation

Restrict network access to the LDAP port to trusted networks only, using firewall rules or network ACLs. This prevents untrusted remote attackers from reaching the vulnerable code. Optionally, lower the 'nsslapd-maxbersize' configuration parameter to reduce the maximum BER message size accepted by the server, but be cautious as setting it too low may impact legitimate LDAP operations that require larger payloads.