CVE-2024-45650 Overview
IBM Security Verify Directory versions 10.0 through 10.0.3 contain a denial-of-service vulnerability triggered through LDAP extended operations. A remote, unauthenticated attacker can send a crafted Lightweight Directory Access Protocol (LDAP) extended operation to cause the directory service to become unavailable. The flaw is tracked under CWE-754: Improper Check for Unusual or Exceptional Conditions.
The vulnerability affects availability only. Confidentiality and integrity of directory data are not impacted. IBM disclosed the issue through its IBM Support advisory.
Critical Impact
A remote unauthenticated attacker can disrupt identity and authentication services that depend on IBM Security Verify Directory by transmitting a single malformed LDAP extended operation.
Affected Products
- IBM Security Verify Directory 10.0
- IBM Security Verify Directory 10.0.1 through 10.0.2
- IBM Security Verify Directory 10.0.3
Discovery Timeline
- 2025-01-31 - CVE-2024-45650 published to NVD
- 2025-08-08 - Last updated in NVD database
Technical Details for CVE-2024-45650
Vulnerability Analysis
IBM Security Verify Directory is an LDAP directory server used for identity data storage and authentication. LDAP extended operations allow clients to invoke server-specific functions beyond the standard LDAP request set, defined in RFC 4511. The vulnerability resides in how the server processes these extended operation requests.
When the server receives a specific extended operation request, it fails to handle an exceptional condition correctly. This results in the service entering an unavailable state, halting authentication and directory lookups for dependent applications. Because directory services typically anchor enterprise authentication, downstream services such as single sign-on, mail, and Active Directory federation can fail in cascade.
Root Cause
The defect maps to CWE-754: Improper Check for Unusual or Exceptional Conditions. The directory server does not validate or recover from an exceptional state encountered while parsing or dispatching the LDAP extended operation. IBM has not published technical details about the specific extended operation OID or input pattern that triggers the failure.
Attack Vector
Exploitation requires only network access to the LDAP service port, typically TCP 389 or TCP 636 for LDAPS. No authentication or user interaction is required. An attacker sends an LDAP ExtendedRequest message containing a crafted operation OID or payload. The server then enters the unavailable state and stops responding to subsequent client requests.
No public proof-of-concept code or exploit module is available at the time of writing. Refer to the IBM Support advisory for vendor-supplied technical guidance.
Detection Methods for CVE-2024-45650
Indicators of Compromise
- Abrupt termination or unresponsiveness of the IBM Security Verify Directory service process following inbound LDAP traffic.
- LDAP error events or core dumps generated by the directory server immediately after receiving an ExtendedRequest message.
- Spikes in failed authentication events across dependent applications that rely on the directory for bind operations.
Detection Strategies
- Inspect LDAP traffic for ExtendedRequest messages from unexpected sources or with uncommon operation OIDs.
- Correlate directory service restarts or crashes with preceding inbound LDAP sessions in network and host telemetry.
- Enable verbose audit logging in IBM Security Verify Directory to capture extended operation requests and their result codes.
Monitoring Recommendations
- Alert on directory service downtime exceeding defined availability thresholds.
- Forward LDAP server logs and host metrics to a centralized SIEM for correlation with network flow data.
- Monitor for repeated TCP connections to ports 389 and 636 from sources outside approved administrative ranges.
How to Mitigate CVE-2024-45650
Immediate Actions Required
- Apply the fix described in the IBM Support advisory for IBM Security Verify Directory 10.0 through 10.0.3.
- Restrict network access to LDAP ports 389 and 636 so that only authorized application servers and administrative hosts can connect.
- Enable monitoring and automatic restart of the directory service to reduce downtime if the issue is triggered.
Patch Information
IBM has published remediation guidance on the IBM Support page for CVE-2024-45650. Administrators should upgrade IBM Security Verify Directory to a fixed version as indicated by IBM and validate the deployment in a staging environment before production rollout.
Workarounds
- Place IBM Security Verify Directory behind a network firewall or LDAP-aware proxy that filters or rate-limits ExtendedRequest operations.
- Deploy redundant directory instances behind a load balancer with health checks to maintain availability if one node fails.
- Limit LDAP exposure to internal management networks until the patch is applied.
# Example: restrict LDAP access to trusted subnets using iptables
iptables -A INPUT -p tcp --dport 389 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 636 -s 10.10.0.0/16 -j ACCEPT
iptables -A INPUT -p tcp --dport 389 -j DROP
iptables -A INPUT -p tcp --dport 636 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

