Description: In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
Question: Has Centrify been affected by the above vulnerability? And when will Centrify be releasing a fix for this?
Answer: Centrify DirectControl agent a.k.a. adclient is not affected, but CentrifyDC-ldapproxy (slapd) is impacted.
Although the CVSS V3 score of 7.5 is relatively high, largely due to the low complexity requirement for the attack, the impact does NOT cause any privilege escalation, info disclosure or tampering; only slapd to crash. CentrifyDC-ldapproxy is normally not exposed to external networks as its main use case is to support the various filers. A slapd crash related to this vulnerability would be the result of a person on the internal network trying to cause a denial of service. Our recommendation is for customers to monitor systems for slapd crashes and investigate, should there be any.
We will upgrade CentrifyDC-ldapproxy (slapd) to openLDAP 2.4.57 with the patch in our upcoming Release 2021 / version 5.8.0, tentatively targeted for July 2021.