A proof-of-concept (PoC) exploit has been launched for a now-patched safety flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP) that might set off a denial-of-service (DoS) situation.
The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS rating: 7.5). It was addressed by Microsoft as a part of Patch Tuesday updates for December 2024, alongside CVE-2024-49112 (CVSS rating: 9.8), a vital integer overflow flaw in the identical element that might end in distant code execution.
Credited with discovering and reporting each vulnerabilities is unbiased safety researcher Yuki Chen (@guhe120).
The CVE-2024-49113 PoC devised by SafeBreach Labs, codenamed LDAPNightmare, is designed to crash any unpatched Home windows Server “with no pre-requisites except that the DNS server of the victim DC has Internet connectivity.”
Particularly, it entails sending a DCE/RPC request to the sufferer server, finally inflicting the Native Safety Authority Subsystem Service (LSASS) to crash and power a reboot when a specifically crafted CLDAP referral response packet.
Even worse, the California-based cybersecurity firm discovered that the identical exploit chain is also leveraged to realize distant code execution (CVE-2024-49112) by modifying the CLDAP packet.
Microsoft’s advisory for CVE-2024-49113 is lean on technical particulars, however the Home windows maker has revealed that CVE-2024-49112 may very well be exploited by sending RPC requests from untrusted networks to execute arbitrary code inside the context of the LDAP service.
“In the context of exploiting a domain controller for an LDAP server, to be successful an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker’s domain to be performed in order to be successful,” Microsoft stated.
“In the context of exploiting an LDAP client application, to be successful an attacker must convince or trick the victim into performing a domain controller lookup for the attacker’s domain or into connecting to a malicious LDAP server. However, unauthenticated RPC calls would not succeed.”
Moreover, an attacker might use an RPC connection to a site controller to set off area controller lookup operations in opposition to the attacker’s area, the corporate famous.
To mitigate the chance posed by these vulnerabilities, it is important that organizations apply the December 2024 patches launched by Microsoft. In conditions the place quick patching shouldn’t be doable, it is suggested to “implement detections to monitor suspicious CLDAP referral responses (with the specific malicious value set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries.”
