A proof-of-concept (PoC) exploit has been released for a recently patched Windows LDAP security vulnerability that could cause system-wide denial-of-service attacks. The vulnerability, identified as CVE-2024-49113 with a CVSS score of 7.5, was discovered alongside a more severe flaw (CVE-2024-49112, CVSS 9.8) by security researcher Yuki Chen.
SafeBreach Labs developed the exploit, dubbed “LDAPNightmare,” which can crash unpatched Windows Servers requiring only Internet connectivity to the DNS server. The attack works by sending a specially crafted DCE/RPC request that triggers the LSASS to crash, forcing a system reboot.
The more critical vulnerability, CVE-2024-49112, can be exploited for remote code execution by modifying the CLDAP packet. Microsoft confirmed that attackers could execute arbitrary code within the LDAP service context by sending RPC requests from untrusted networks.
Key Attack Requirements:
– Sending specially crafted RPC calls to target systems
– Triggering lookups to attacker-controlled domains
– For client-side attacks, user interaction or connection to malicious LDAP servers
Recommended Mitigations:
1. Apply Microsoft’s December 2024 security patches immediately
2. Monitor for suspicious CLDAP referral responses
3. Track unusual DsrGetDcNameEx2 calls
4. Watch for suspicious DNS SRV queries
Organizations are strongly advised to implement these security measures to protect against potential exploits.