CVE-2008-2952
published 2008-07-01CVE-2008-2952: liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
13.17%
95.9th percentile
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
Affected
52 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openldap | < openldap 2.4.10-3 (bookworm) | openldap 2.4.10-3 (bookworm) |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xff\xff\xff\x00\x84\x41\x42\x43\x44
bytes↗
ffff ff00 8441 4243 44
- →Trigger condition: crafted ASN.1 BER datagram with exactly 4-byte multi-byte tag and exactly 4-byte multi-byte size sent to LDAP port 389; causes assertion failure in ber_get_next() in liblber/io.c leading to slapd crash. ↗
- →Authentication is not required to exploit this vulnerability; any unauthenticated remote attacker can send the malformed BER packet to crash slapd. ↗
- →The crash manifests as an assert(0) in ber_get_next(); monitor slapd for abnormal termination following receipt of malformed BER data on port 389. ↗
- →Exploit payload starts with bytes 0xFF 0xFF 0xFF 0x00 (malformed multi-byte BER tag) followed by 0x84 and content bytes; detect this pattern in LDAP traffic on TCP/389. ↗
- ·Affected versions are OpenLDAP 2.2.4 through 2.4.10; the original upstream patch was reported broken and a second patch was applied — ensure the corrected patch (io.c r1.122) is in use. ↗
- ·The testcase only crashes the Red Hat Enterprise Linux 4 and 5 versions of openldap; the 2.1 and 3 versions seem to handle this just fine — scope detection efforts accordingly. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenLDAP vulnerability
vendor_ubuntu·2008-08-01
CVE-2008-2952 OpenLDAP vulnerability
Title: OpenLDAP vulnerability
Summary: OpenLDAP vulnerability
Cameron Hotchkies discovered that OpenLDAP did not correctly handle
certain ASN.1 BER data. A remote attacker could send a specially crafted
packet and crash slapd, leading to a denial of service.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
OpenLDAP denial-of-service flaw in ASN.1 decoder
vendor_redhat·2008-06-26·CVSS 5.0
CVE-2008-2952 [MEDIUM] OpenLDAP denial-of-service flaw in ASN.1 decoder
OpenLDAP denial-of-service flaw in ASN.1 decoder
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
Debian
CVE-2008-2952: openldap - liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a deni...
vendor_debian·2008·CVSS 5.0
CVE-2008-2952 [MEDIUM] CVE-2008-2952: openldap - liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a deni...
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
Scope: local
bookworm: resolved (fixed in 2.4.10-3)
bullseye: resolved (fixed in 2.4.10-3)
forky: resolved (fixed in 2.4.10-3)
sid: resolved (fixed in 2.4.10-3)
trixie: resolved (fixed in 2.4.10-3)
GHSA
GHSA-mgjr-3gvp-wpc2: liblber/io
ghsa_unreviewed·2022-05-01
CVE-2008-2952 [MEDIUM] GHSA-mgjr-3gvp-wpc2: liblber/io
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
OSV
CVE-2008-2952: liblber/io
osv·2008-07-01·CVSS 5.0
CVE-2008-2952 [MEDIUM] CVE-2008-2952: liblber/io
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.
No detection rules found.
http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.htmlhttp://secunia.com/advisories/30853http://secunia.com/advisories/30917http://secunia.com/advisories/30996http://secunia.com/advisories/31326http://secunia.com/advisories/31364http://secunia.com/advisories/31436http://secunia.com/advisories/32254http://secunia.com/advisories/32316http://security.gentoo.org/glsa/glsa-200808-09.xmlhttp://wiki.rpath.com/Advisories:rPSA-2008-0249http://www.debian.org/security/2008/dsa-1650http://www.mandriva.com/security/advisories?name=MDVSA-2008:144http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580%3Bselectid=5580http://www.openwall.com/lists/oss-security/2008/07/01/2http://www.openwall.com/lists/oss-security/2008/07/13/2http://www.redhat.com/support/errata/RHSA-2008-0583.htmlhttp://www.securityfocus.com/archive/1/495320/100/0/threadedhttp://www.securityfocus.com/bid/30013http://www.securitytracker.com/id?1020405http://www.ubuntu.com/usn/usn-634-1http://www.vupen.com/english/advisories/2008/1978/referenceshttp://www.vupen.com/english/advisories/2008/2268http://www.zerodayinitiative.com/advisories/ZDI-08-052/https://exchange.xforce.ibmcloud.com/vulnerabilities/43515https://issues.rpath.com/browse/RPL-2645https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10662https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00109.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-July/msg00129.htmlhttp://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-10/msg00006.htmlhttp://secunia.com/advisories/30853http://secunia.com/advisories/30917http://secunia.com/advisories/30996http://secunia.com/advisories/31326http://secunia.com/advisories/31364http://secunia.com/advisories/31436http://secunia.com/advisories/32254http://secunia.com/advisories/32316http://security.gentoo.org/glsa/glsa-200808-09.xmlhttp://wiki.rpath.com/Advisories:rPSA-2008-0249http://www.debian.org/security/2008/dsa-1650http://www.mandriva.com/security/advisories?name=MDVSA-2008:144http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5580%3Bselectid=5580http://www.openwall.com/lists/oss-security/2008/07/01/2http://www.openwall.com/lists/oss-security/2008/07/13/2http://www.redhat.com/support/errata/RHSA-2008-0583.htmlhttp://www.securityfocus.com/archive/1/495320/100/0/threadedhttp://www.securityfocus.com/bid/30013http://www.securitytracker.com/id?1020405http://www.ubuntu.com/usn/usn-634-1http://www.vupen.com/english/advisories/2008/1978/referenceshttp://www.vupen.com/english/advisories/2008/2268http://www.zerodayinitiative.com/advisories/ZDI-08-052/https://exchange.xforce.ibmcloud.com/vulnerabilities/43515https://issues.rpath.com/browse/RPL-2645https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10662https://www.redhat.com/archives/fedora-package-announce/2008-July/msg00109.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-July/msg00129.html
2008-07-01
Published