You have not given any consents yet.

LDAPS encryption downgrade attack vulnerability  




Assigning CNA: Mitre




MITRE CVE-2023-35833


Initial Reporter: This vulnerability was responsibly reported to Y Soft by Wouter Arts and Geert Braakhekke from WTH Security BV. 

Affected Versions: All YSoft SAFEQ 6 Server versions 6.0.81 and lower.


Base Score Metrics



Attack Vector: Network 


Attack Complexity: Low 


Privileges Required: High 


User Interaction: Required 


Scope: Changed 


Impact Metrics: 


Confidentiality: High 


Integrity: High 


Availability: High 


Temporal Score Metrics 


Exploit Code Maturity: Functional exploit exists 


Remediation Level: Official fix


Report Confidence: Confirmed 


Executive Summary 


An issue was discovered in YSoft SAFEQ 6 Server. When modifying the URL of the LDAP server configuration from LDAPS to LDAP, the system does not require the password to be (re)entered. This results in exposing cleartext credentials when connecting to a rogue LDAP server.


Description of the attack


The nature of the attack is detailed below.

  1. The attack scenario involves an existing secure SAFEQ environment using LDAPS.
  2. An unsecured rogue LDAP service is set up by the attacker.
  3. The attacker manipulates (social engineers) a legitimate SAFEQ admin into connecting to the rogue LDAP service instead of using LDAPS.
  4. Subsequently, the attacker gains the ability to read the connection account information of the actual customer's LDAPS server.


It's crucial to note that any admin using LDAP instead of LDAPS would inadvertently leak user information to the network. We strongly advise customers to refrain from using LDAP if they wish to maintain a secure environment. SAFEQ only needs READ permissions on the access account, so any of those user accounts can be used for the same attack.



The nature of the bugfix is that we now delete the password from the UI when we change from LDAPS to LDAP. However, it is important to acknowledge that the bugfix alone may not prevent an attacker from sniffing out user information if they manage to force the admin to connect to their rogue LDAP.



Our recommendation to ensure your system's security is to update to the latest available build (Build 82 and newer), where this issue has already been resolved.