The proof-of-concept (PoC) exploit was released for a fixed security flaw affecting Windows Lightweight Directory Access Protocol (LDAP) that could cause a denial of service (DoS) condition.
An out-of-bounds read vulnerability is tracked as CVE-2024-49113 (CVSS score: 7.5). This was addressed by Microsoft as part of the December 2024 Patch Tuesday updates CVE-2024-49112 (CVSS score: 9.8), a critical integer overflow bug in the same component that could lead to remote code execution.
The discovery and reporting of both vulnerabilities is attributed to independent security researcher Yuki Chen (@guhe120).
CVE-2024-49113 PoC came up with by SafeBreach Labs, codenamed LDAPN’s nightmareis intended to crash any unpatched Windows server “with no preconditions except that the victim DC’s DNS server has Internet connectivity.”
Specifically, this entails sending a DCE/RPC request to the victim server, ultimately causing the Local Security Authority Subsystem Service (LSASS) to crash and force a reboot upon receiving a specially crafted CLDAP response packet.
To make matters worse, a California-based cybersecurity company discovered that the same exploit chain can also be used to achieve remote code execution (CVE-2024-49112) by modifying the CLDAP package.
Microsoft’s advisory for CVE-2024-49113 relies on technical details, but the Windows maker revealed that CVE-2024-49112 can be exploited by sending RPC requests from untrusted networks to execute arbitrary code in the context of the LDAP service.
“In the context of using a domain controller for an LDAP server, to succeed, an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker’s domain, which must be performed to succeed,” Microsoft. said.
“In the context of using an LDAP client application, to be successful, an attacker must convince or trick a victim to perform a domain controller lookup for the attacker’s domain or connect to a malicious LDAP server. However, unauthenticated RPC calls will not succeed. ”
Additionally, an attacker can use an RPC connection to a domain controller to launch domain controller lookup operations against the attacker’s domain, the company noted.
To reduce the risk posed by these vulnerabilities, it is critical that organizations apply the December 2024 patches released by Microsoft. In situations where immediate remediation is not possible, it is recommended to “implement detection to monitor suspicious CLDAP referral responses (with a specific set of malicious values), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV requests.”
