<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Sasl - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/sasl/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 07 Jul 2026 10:17:48 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/sasl/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-11610: 389 Directory Server SASL Heap Buffer Overflow Leading to DoS</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-11610-389ds-dos/</link><pubDate>Tue, 07 Jul 2026 10:17:48 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-11610-389ds-dos/</guid><description>A heap buffer overflow vulnerability (CVE-2026-11610) exists in the SASL I/O layer of 389 Directory Server (389-ds-base), active since version 1.3.2. An authenticated attacker can send a specially crafted, oversized LDAP UNBIND packet after a successful SASL bind with integrity protection. This causes approximately 2 megabytes of attacker-controlled data to overflow a 512-byte heap buffer in sasl_io_recv(), leading to a denial of service (server crash).</description><content:encoded><![CDATA[<p>A critical heap buffer overflow vulnerability, identified as CVE-2026-11610, has been discovered in the SASL I/O layer of 389 Directory Server (389-ds-base). This flaw allows an authenticated attacker to trigger a denial of service by sending a specially crafted, oversized LDAP UNBIND packet after successfully performing a SASL bind with integrity protection (SSF &gt; 0). The vulnerability stems from a lack of bounds checking when copying the packet into a 512-byte heap receive buffer, permitting an overflow of approximately 2 megabytes of attacker-controlled data, which causes the server to crash. This vulnerability has existed since 389-ds-base version 1.3.2, approximately 2013, making many older deployments susceptible. In FreeIPA and Red Hat Identity Management environments, any domain user with a valid Kerberos ticket, enrolled host, or service account can leverage this over the network after authenticating via GSSAPI, posing a significant threat to critical identity services.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access / Authentication</strong>: An attacker obtains valid credentials or a Kerberos ticket for a domain user, enrolled host, or service account within a FreeIPA or Red Hat Identity Management environment.</li>
<li><strong>SASL Bind</strong>: The authenticated attacker successfully performs a SASL bind to the 389 Directory Server, ensuring integrity protection (SSF &gt; 0) is established. This could involve GSSAPI authentication.</li>
<li><strong>Craft Malicious Packet</strong>: The attacker crafts an LDAP UNBIND packet with an intentionally oversized payload.</li>
<li><strong>Send Malicious Packet</strong>: The attacker sends the specially crafted, oversized LDAP UNBIND packet over the network to the vulnerable 389 Directory Server.</li>
<li><strong>Heap Buffer Overflow</strong>: The <code>sasl_io_recv()</code> function in <code>sasl_io.c</code> processes the oversized packet, attempting to copy it into a 512-byte heap receive buffer without performing adequate bounds checks.</li>
<li><strong>Memory Corruption</strong>: The lack of bounds checking allows approximately 2 megabytes of attacker-controlled data to overflow the small buffer, corrupting adjacent memory.</li>
<li><strong>Denial of Service</strong>: The memory corruption leads to an unhandled exception or critical error, causing the 389 Directory Server process to crash unexpectedly.</li>
<li><strong>Service Interruption</strong>: The 389 Directory Server becomes unavailable, leading to a denial of service for all dependent services, such as authentication and directory lookups in FreeIPA or Red Hat Identity Management deployments.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-11610 results in a critical denial of service, causing the 389 Directory Server to crash and become unavailable. This directly impacts core identity management services, such as those provided by FreeIPA and Red Hat Identity Management deployments. A crashed directory server can disrupt user authentication, application access, and directory lookups across an entire organization, leading to widespread operational paralysis. This vulnerability can be triggered by any authenticated user or service account, making it a significant internal threat vector with a CVSS score of 8.8, indicating high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-11610 on all affected 389 Directory Server instances (specifically 389-ds-base versions &gt;= 1.3.2) immediately to prevent denial of service.</li>
<li>Monitor 389 Directory Server system logs for unexpected process terminations or crashes, which could indicate exploitation of CVE-2026-11610 or other issues.</li>
<li>Implement robust network segmentation and access controls to limit network exposure of 389 Directory Server instances, reducing the attack surface for authenticated users.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>heap-overflow</category><category>denial-of-service</category><category>ldap</category><category>sasl</category><category>linux</category><category>cve</category></item></channel></rss>