cbcvebase.
CVE-2013-4449
published 2014-02-05

CVE-2013-4449: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd…

PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
10.91%
95.3th percentile
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
applemacos_catalina_10.15.2_security_update_2019-002_mojave_security_update_2019-007
debiandebian_linux
debiandebian_linux
debianopenldap< openldap 2.4.39-1.1 (bookworm)openldap 2.4.39-1.1 (bookworm)
openldapopenldap<= 2.4.36
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap
openldapopenldap

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: remote attacker sends a search request and immediately unbinds from the server, causing rwm_conn_destroy to free the session context while rwm_op_search is still using it — monitor for rapid LDAP SEARCH followed by UNBIND sequences from the same client connection
  • Exploitation may require a multi-core/multi-CPU system to reliably trigger the race condition between rwm_conn_destroy and rwm_op_search
  • Vulnerability is only exploitable when the rwm (rewrite/remap) overlay is enabled in slapd configuration — audit slapd.conf or cn=config for 'overlay rwm' directives
  • ·The vulnerability only affects slapd instances with the rwm (rewrite/remap) overlay enabled; deployments without this overlay are not affected (e.g., Red Hat Enterprise Linux 7 openldap is listed as Not affected)
  • ·Affected versions are OpenLDAP 2.4.23, 2.4.36, and earlier; the fix was introduced in OpenLDAP 2.4.39 — verify the deployed version before applying detection logic

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
vendor_ubuntu2.6LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.