NewsSecurity Vulnerabilities

LDAPNightmare exploit crashes LSASS and forces a reboot of Windows domain controllers

On December 10th 2024, Yuki Chen (@guhe120) identified two LDAP vulnerabilities: a Remote Code Execution (RCE) flaw and a Denial of Service (DoS)/Information Leak issue.

Both vulnerabilities, which impact any Domain Controller (DC), were disclosed on the Microsoft Security Response Center (MSRC) website as part of the latest Patch Tuesday update.

The RCE vulnerability was designated CVE-2024-49112 and assigned a CVSS severity score of 9.8 out of 10, while the DoS vulnerability was labelled CVE-2024-49113.

Despite these disclosures, no public exploit or detailed blog post outlining the vulnerabilities or exploitation methods has been released.

SafeBreach Labs developed a proof of concept exploit for CVE-2024-49113 that crashes any unpatched Windows Server (not just DCs) with no pre-requisites except that the DNS server of the victim DC has Internet connectivity. They also believe this same attack vector may be leveraged to achieve an RCE.

To reduce the risk associated with these vulnerabilities, organizations should promptly apply the December 2024 patches provided by Microsoft. If immediate patching is not feasible, it is recommended to “deploy detections to monitor for unusual CLDAP referral responses containing the specific malicious value, suspicious DsrGetDcNameEx2 calls, and anomalous DNS SRV queries.”

You can use tools like LdapNightmare PoC to test servers’ susceptibility to this exploit.

Microsoft article – CVE-2024-49113 – Security Update Guide – Microsoft – Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

You can read more about this exploit here – LDAPNightmare: SafeBreach Publishes First PoC Exploit (CVE-2024-49113)

Jason Davies

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.