A proof-of-concept (PoC) exploit has been launched for a now-patched safety flaw impacting Home windows Light-weight Listing Entry Protocol (LDAP) that might set off a denial-of-service (DoS) situation.
The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS rating: 7.5). It was addressed by Microsoft as a part of Patch Tuesday updates for December 2024, alongside CVE-2024-49112 (CVSS rating: 9.8), a essential integer overflow flaw in the identical element that might lead to distant code execution.
Credited with discovering and reporting each vulnerabilities is impartial safety researcher Yuki Chen (@guhe120).
The CVE-2024-49113 PoC devised by SafeBreach Labs, codenamed LDAPNightmare, is designed to crash any unpatched Home windows Server “with no pre-requisites besides that the DNS server of the sufferer DC has Web connectivity.”
Particularly, it entails sending a DCE/RPC request to the sufferer server, finally inflicting the Native Safety Authority Subsystem Service (LSASS) to crash and drive a reboot when a specifically crafted CLDAP referral response packet.
Even worse, the California-based cybersecurity firm discovered that the identical exploit chain is also leveraged to realize distant code execution (CVE-2024-49112) by modifying the CLDAP packet.
Microsoft’s advisory for CVE-2024-49113 is lean on technical particulars, however the Home windows maker has revealed that CVE-2024-49112 could possibly be exploited by sending RPC requests from untrusted networks to execute arbitrary code inside the context of the LDAP service.
“Within the context of exploiting a site controller for an LDAP server, to achieve success an attacker should ship specifically crafted RPC calls to the goal to set off a lookup of the attacker’s area to be carried out with a view to achieve success,” Microsoft mentioned.
“Within the context of exploiting an LDAP shopper utility, to achieve success an attacker should persuade or trick the sufferer into performing a site controller lookup for the attacker’s area or into connecting to a malicious LDAP server. Nevertheless, unauthenticated RPC calls wouldn’t succeed.”
Moreover, an attacker might use an RPC connection to a site controller to set off area controller lookup operations towards the attacker’s area, the corporate famous.
To mitigate the chance posed by these vulnerabilities, it is important that organizations apply the December 2024 patches launched by Microsoft. In conditions the place instant patching will not be attainable, it is suggested to “implement detections to observe suspicious CLDAP referral responses (with the precise malicious worth set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries.”