CVE-2013-4449
published 2014-02-05CVE-2013-4449: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd…
PriorityP424medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
10.91%
95.3th percentile
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_catalina_10.15.2_security_update_2019-002_mojave_security_update_2019-007 | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openldap | < openldap 2.4.39-1.1 (bookworm) | openldap 2.4.39-1.1 (bookworm) |
| openldap | openldap | <= 2.4.36 | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: remote attacker sends a search request and immediately unbinds from the server, causing rwm_conn_destroy to free the session context while rwm_op_search is still using it — monitor for rapid LDAP SEARCH followed by UNBIND sequences from the same client connection ↗
- →Exploitation may require a multi-core/multi-CPU system to reliably trigger the race condition between rwm_conn_destroy and rwm_op_search ↗
- →Vulnerability is only exploitable when the rwm (rewrite/remap) overlay is enabled in slapd configuration — audit slapd.conf or cn=config for 'overlay rwm' directives ↗
- ·The vulnerability only affects slapd instances with the rwm (rewrite/remap) overlay enabled; deployments without this overlay are not affected (e.g., Red Hat Enterprise Linux 7 openldap is listed as Not affected) ↗
- ·Affected versions are OpenLDAP 2.4.23, 2.4.36, and earlier; the fix was introduced in OpenLDAP 2.4.39 — verify the deployed version before applying detection logic ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3LOW
vendor_redhat4.3MEDIUM
vendor_ubuntu2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Apple
CVE-2013-4449: macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
vendor_apple·2019-12-10·CVSS 4.3
CVE-2013-4449 [MEDIUM] CVE-2013-4449: macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
Apple Security Update: About the security content of macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
Product: macOS Catalina 10.15.2, Security Update 2019-002 Mojave, Security Update 2019-007 High Sierra
CVE: CVE-2013-4449
Component: CVE-2013-4449
Ubuntu
OpenLDAP vulnerabilities
vendor_ubuntu·2015-05-26·CVSS 2.6
CVE-2012-1164 [LOW] OpenLDAP vulnerabilities
Title: OpenLDAP vulnerabilities
Summary: OpenLDAP could be made to crash if it received specially crafted network
traffic.
It was discovered that OpenLDAP incorrectly handled certain search queries
that returned empty attributes. A remote attacker could use this issue to
cause OpenLDAP to assert, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS. (CVE-2012-1164)
Michael Vishchers discovered that OpenLDAP improperly counted references
when the rwm overlay was used. A remote attacker could use this issue to
cause OpenLDAP to crash, resulting in a denial of service. (CVE-2013-4449)
It was discovered that OpenLDAP incorrectly handled certain empty attribute
lists in search requests. A remote attacker could use this issue to cause
OpenLDAP to crash, resulting in a
Red Hat
openldap: segfault on certain queries with rwm overlay
vendor_redhat·2013-10-11·CVSS 4.3
CVE-2013-4449 [MEDIUM] openldap: segfault on certain queries with rwm overlay
openldap: segfault on certain queries with rwm overlay
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
Package: openldap (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4449: openldap - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count ...
vendor_debian·2013·CVSS 4.3
CVE-2013-4449 [MEDIUM] CVE-2013-4449: openldap - The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count ...
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
Scope: local
bookworm: resolved (fixed in 2.4.39-1.1)
bullseye: resolved (fixed in 2.4.39-1.1)
forky: resolved (fixed in 2.4.39-1.1)
sid: resolved (fixed in 2.4.39-1.1)
trixie: resolved (fixed in 2.4.39-1.1)
GHSA
GHSA-rmpx-9wfm-j7j4: The rwm overlay in OpenLDAP 2
ghsa_unreviewed·2022-05-17
CVE-2013-4449 [MEDIUM] GHSA-rmpx-9wfm-j7j4: The rwm overlay in OpenLDAP 2
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
OSV
openldap vulnerabilities
osv·2015-05-26·CVSS 2.6
CVE-2012-1164 [LOW] openldap vulnerabilities
openldap vulnerabilities
It was discovered that OpenLDAP incorrectly handled certain search queries
that returned empty attributes. A remote attacker could use this issue to
cause OpenLDAP to assert, resulting in a denial of service. This issue only
affected Ubuntu 12.04 LTS. (CVE-2012-1164)
Michael Vishchers discovered that OpenLDAP improperly counted references
when the rwm overlay was used. A remote attacker could use this issue to
cause OpenLDAP to crash, resulting in a denial of service. (CVE-2013-4449)
It was discovered that OpenLDAP incorrectly handled certain empty attribute
lists in search requests. A remote attacker could use this issue to cause
OpenLDAP to crash, resulting in a denial of service. (CVE-2015-1545)
OSV
CVE-2013-4449: The rwm overlay in OpenLDAP 2
osv·2014-02-05·CVSS 4.3
CVE-2013-4449 [MEDIUM] CVE-2013-4449: The rwm overlay in OpenLDAP 2
The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay [fedora-all]
bugzilla·2014-02-03·CVSS 4.3
CVE-2013-4449 [MEDIUM] CVE-2013-4449 openldap: segfault on certain queries with rwm overlay [fedora-all]
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue
Bugzilla
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
bugzilla·2013-10-15·CVSS 4.3
CVE-2013-4449 [MEDIUM] CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
CVE-2013-4449 openldap: segfault on certain queries with rwm overlay
It was discovered that OpenLDAP, with the rwm overlay to slapd, could segfault if a user were able to query the directory and immediately unbind from the server. This seems to be due to the rwm overlay not doing reference counting properly, so rwm_conn_destroy frees the session context while rwm_op_search is using it. This condition also seems to require multiple cores/CPUs to trigger.
This was also reported upstream [1] and is currently unfixed.
[1] http://www.openldap.org/its/index.cgi/Incoming?id=7723
Discussion:
Acknowledgements:
Red Hat would like to thank Michael Vishchers from Seven Principles AG for reporting this issue.
---
(In reply to Vincent Danen from comment #0)
> It was discovered that OpenLDAP, wit
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735http://rhn.redhat.com/errata/RHSA-2014-0126.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0206.htmlhttp://seclists.org/fulldisclosure/2019/Dec/26http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-4449http://www.debian.org/security/2015/dsa-3209http://www.mandriva.com/security/advisories?name=MDVSA-2014:026http://www.openldap.org/its/index.cgi/Incoming?id=7723http://www.openwall.com/lists/oss-security/2013/10/19/3http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/63190http://www.securitytracker.com/id/1029711https://bugzilla.redhat.com/show_bug.cgi?id=1019490https://seclists.org/bugtraq/2019/Dec/23https://support.apple.com/kb/HT210788http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10735http://rhn.redhat.com/errata/RHSA-2014-0126.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0206.htmlhttp://seclists.org/fulldisclosure/2019/Dec/26http://tools.cisco.com/security/center/content/CiscoSecurityNotice/CVE-2013-4449http://www.debian.org/security/2015/dsa-3209http://www.mandriva.com/security/advisories?name=MDVSA-2014:026http://www.openldap.org/its/index.cgi/Incoming?id=7723http://www.openwall.com/lists/oss-security/2013/10/19/3http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/63190http://www.securitytracker.com/id/1029711https://bugzilla.redhat.com/show_bug.cgi?id=1019490https://seclists.org/bugtraq/2019/Dec/23https://support.apple.com/kb/HT210788
2014-02-05
Published