CVE-2020-35518 : Security Advisory and Response

When binding against a DN during authentication, the reply from 389-ds-base will be different whether the DN exists or not. This can be used by an unauthenticated attacker to check the existence of an entry in the LDAP database.

Understanding CVE-2020-35518

This CVE involves a vulnerability in 389-ds-base that allows an unauthenticated attacker to determine the existence of an entry in the LDAP database.

What is CVE-2020-35518?

The vulnerability in 389-ds-base allows attackers to differentiate responses based on the existence of a DN during authentication, potentially aiding in unauthorized access.

The Impact of CVE-2020-35518

The vulnerability enables unauthenticated attackers to exploit the LDAP database to verify the presence of specific entries, posing a security risk to sensitive information.

Technical Details of CVE-2020-35518

This section provides detailed technical insights into the CVE.

Vulnerability Description

The issue in 389-ds-base allows attackers to discern the existence of entries in the LDAP database by observing different responses during authentication.

Affected Systems and Versions

Product: 389-ds-base
Versions: 389-ds-base 2.0.3, 389-ds-base 1.4.4.13, 389-ds-base 1.4.3.19

Exploitation Mechanism

Attackers can exploit the vulnerability by observing the varying responses from 389-ds-base during authentication to determine the presence of specific entries.

Mitigation and Prevention

Protecting systems from CVE-2020-35518 is crucial to maintaining security.

Immediate Steps to Take

Update 389-ds-base to a patched version that addresses the vulnerability.
Monitor LDAP access for any suspicious activities.

Long-Term Security Practices

Implement proper access controls and authentication mechanisms.
Regularly audit LDAP configurations and permissions.

Patching and Updates

Ensure timely installation of security patches and updates for 389-ds-base to mitigate the risk of exploitation.