CVE-2019-3883 in 389-ds-base
Summary
by MITRE
In 389-ds-base up to version 1.4.1.2, requests are handled by workers threads. Each sockets will be waited by the worker for at most 'ioblocktimeout' seconds. However this timeout applies only for un-encrypted requests. Connections using SSL/TLS are not taking this timeout into account during reads, and may hang longer.An unauthenticated attacker could repeatedly create hanging LDAP requests to hang all the workers, resulting in a Denial of Service.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 08/29/2023
The vulnerability identified as CVE-2019-3883 affects the 389 Directory Server base component version 1.4.1.2 and earlier, presenting a significant denial of service risk through improper handling of SSL/TLS connections. This issue stems from the server's thread management architecture where worker threads process incoming LDAP requests and maintain a configurable timeout period known as 'ioblocktimeout' for socket operations. The timeout mechanism serves as a protective measure against long-running or stuck connections that could exhaust system resources and compromise server availability.
The technical flaw manifests in the inconsistent application of timeout mechanisms between encrypted and unencrypted connections. While the 'ioblocktimeout' parameter effectively limits the duration worker threads wait for data on unencrypted socket connections, it fails to enforce the same restriction on SSL/TLS encrypted connections. This discrepancy creates a scenario where encrypted requests can remain in a waiting state indefinitely, allowing malicious actors to exploit this behavior through repeated connection establishment and data read operations that never complete within the expected timeframe.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential system resource exhaustion and complete server unavailability. An unauthenticated attacker can leverage this weakness by establishing multiple SSL/TLS connections and initiating LDAP requests that remain in a hanging state, effectively consuming all available worker threads in the server's thread pool. Since each worker thread can only handle one request at a time, the server becomes unable to process legitimate requests, leading to a complete denial of service condition that affects all users and applications relying on the directory service.
This vulnerability aligns with CWE-400, which addresses "Uncontrolled Resource Consumption" and specifically targets the improper handling of system resources through inadequate timeout mechanisms. The attack pattern follows ATT&CK technique T1499.004, "OS Cache Exhaustion," where an attacker consumes system resources to prevent legitimate operations from completing. The implementation flaw demonstrates poor resource management practices where the server fails to maintain consistent security controls across different connection types, creating an exploitable gap in the system's defensive architecture. Organizations should implement immediate mitigations including updating to version 1.4.1.3 or later, configuring appropriate connection timeouts for all connection types, and implementing monitoring solutions to detect unusual connection patterns that may indicate exploitation attempts.