CVE-2021-3652 in 389-ds-base
Summary
by MITRE • 04/18/2022
A flaw was found in 389-ds-base. If an asterisk is imported as password hashes, either accidentally or maliciously, then instead of being inactive, any password will successfully match during authentication. This flaw allows an attacker to successfully authenticate as a user whose password was disabled.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/04/2025
The vulnerability identified as CVE-2021-3652 resides within the 389 Directory Server base implementation, specifically affecting how the system processes password hash values during authentication operations. This flaw represents a critical authentication bypass issue that fundamentally undermines the security controls designed to protect user accounts. The vulnerability manifests when an asterisk character is imported as a password hash value, either through accidental configuration errors or deliberate malicious intent. Under normal circumstances, password hashes serve as cryptographic representations that must match exactly during authentication attempts, but this flaw creates an anomalous condition where any input will validate successfully against an asterisk-based hash.
The technical mechanism behind this vulnerability stems from improper validation and handling of special characters within password hash processing within the 389-ds-base software. When an asterisk is stored as a password hash, the authentication subsystem fails to properly interpret this value and instead treats it as a wildcard or null match condition. This creates a scenario where the system's password verification logic becomes effectively disabled for accounts with asterisk-based hashes, allowing any password attempt to pass authentication checks. The flaw operates at the core authentication layer, bypassing standard password validation mechanisms and creating an unintended access path that should not exist under proper security implementation.
The operational impact of this vulnerability is severe and far-reaching, as it enables unauthorized authentication access to user accounts without requiring knowledge of legitimate passwords. An attacker who can manipulate or inject an asterisk as a password hash can effectively gain access to any account that has this malformed hash value, potentially compromising sensitive user data, system resources, and privileged accounts. This vulnerability directly violates the principle of least privilege and authentication integrity, as it allows attackers to impersonate legitimate users and potentially escalate their access within the directory service environment. The impact extends beyond simple account compromise to include potential lateral movement and privilege escalation within the broader network infrastructure that relies on 389-ds-base for authentication services.
Organizations utilizing 389-ds-base directory services face significant risk from this vulnerability, particularly those with extensive user base deployments or systems that depend on directory authentication for access control. The vulnerability's exploitation does not require advanced technical skills beyond basic understanding of the directory service configuration, making it accessible to a broad range of threat actors. Mitigation strategies should include immediate patching of affected systems, implementation of password hash validation procedures to prevent asterisk characters from being accepted as valid password hashes, and comprehensive audit of existing password hash values within the directory service. Additionally, monitoring systems should be enhanced to detect and alert on anomalous authentication patterns that might indicate exploitation attempts. This vulnerability aligns with CWE-287, which addresses improper authentication, and relates to ATT&CK technique T1078 for valid accounts, as it enables unauthorized access through compromised authentication mechanisms.