cbcvebase.
CVE-2008-2952
published 2008-07-01

CVE-2008-2952: liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that…

PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
13.17%
95.9th percentile
liblber/io.c in OpenLDAP 2.2.4 to 2.4.10 allows remote attackers to cause a denial of service (program termination) via crafted ASN.1 BER datagrams that trigger an assertion error.

Affected

52 ranges· showing 25
VendorProductVersion rangeFixed in
debianopenldap< openldap 2.4.10-3 (bookworm)openldap 2.4.10-3 (bookworm)
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap

Detection & IOCsextracted from sources · hover to see the quote

port389
pathliblber/io.c
processslapd
bytes
\xff\xff\xff\x00\x84\x41\x42\x43\x44
bytes
ffff ff00 8441 4243 44
  • Trigger condition: crafted ASN.1 BER datagram with exactly 4-byte multi-byte tag and exactly 4-byte multi-byte size sent to LDAP port 389; causes assertion failure in ber_get_next() in liblber/io.c leading to slapd crash.
  • Authentication is not required to exploit this vulnerability; any unauthenticated remote attacker can send the malformed BER packet to crash slapd.
  • The crash manifests as an assert(0) in ber_get_next(); monitor slapd for abnormal termination following receipt of malformed BER data on port 389.
  • Exploit payload starts with bytes 0xFF 0xFF 0xFF 0x00 (malformed multi-byte BER tag) followed by 0x84 and content bytes; detect this pattern in LDAP traffic on TCP/389.
  • ·Affected versions are OpenLDAP 2.2.4 through 2.4.10; the original upstream patch was reported broken and a second patch was applied — ensure the corrected patch (io.c r1.122) is in use.
  • ·The testcase only crashes the Red Hat Enterprise Linux 4 and 5 versions of openldap; the 2.1 and 3 versions seem to handle this just fine — scope detection efforts accordingly.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0LOW
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.