A proof-of-concept (PoC) exploit has been released for a now-patched security flaw impacting Windows Lightweight Directory Access Protocol (LDAP) that could trigger a denial-of-service (DoS) condition. The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS score: 7.5).

Summary 

OEM	Microsoft
Severity	Critical
CVSS	9.8
CVEs	CVE-2024-49112
Exploited in Wild	Yes
Patch/Remediation Available	Yes
Advisory Version	1.1

Overview 

A critical exploit proof-of-concept (PoC) has been published for a previously disclosed vulnerability, CVE-2024-49112, within the Windows Lightweight Directory Access Protocol (LDAP) service. Dubbed “LDAP Nightmare,” this vulnerability enables Remote Code Execution (RCE) on unpatched Windows Servers, including Domain Controllers (DCs). This vulnerability was originally disclosed during Microsoft’s December 2024 Patch Tuesday.

Its severity, with a CVSS score of 9.8, underscores its significant impact on enterprise environments. Organizations are urged to take immediate remediation steps to prevent exploitation. 

Vulnerability Name	CVE ID	Product Affected	Severity
Unauthenticated Remote Code Execution in Windows LDAP	CVE-2024-49112	Windows Server	Critical

Technical Summary 

The exploitation of CVE-2024-49112 involves a zero-click attack leveraging the LDAP protocol to execute arbitrary code or crash Windows Servers by targeting the Local Security Authority Subsystem Service (LSASS). The PoC released by SafeBreach Labs demonstrates how attackers can manipulate LDAP responses to crash or compromise unpatched systems. Key technical details are as follows: 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2024-49112	All unpatched versions of Windows Server and Windows 10 and 11	Integer overflow in LDAP-related code allows remote unauthenticated exploitation via crafted RPC and LDAP queries. For exploitation requires only Internet connectivity for DNS interactions, no authentication needed.	RCE or system crash

Exploit Details: 

1. An attacker sends a DCE/RPC request to the target server. 

2. The target queries the attacker’s DNS server for domain information. 

3. The attacker manipulates NetBIOS and CLDAP responses to redirect the target server to a malicious LDAP server. 

4. A crafted LDAP referral response crashes LSASS, causing crash and a system reboot 

Remediation: To mitigate the risk posed by these vulnerabilities, it’s essential that organizations apply patches released by Microsoft. In situations where immediate patching is not possible, it’s advised to “implement detections to monitor suspicious CLDAP referral responses.

• Apply Patches: Immediately deploy Microsoft’s December 2024Patch Tuesday update to affected systems. 

• Monitor Activity: Implement detection mechanisms for: 

• Suspicious CLDAP referral responses with malicious values. 

• Unusual DsrGetDcNameEx2 calls. 

• Anomalous DNS SRV queries. 

• Testing: Use the SafeBreach PoC tool from their GitHub repository to assess the effectiveness of the patch, at your own risk. 

Conclusion: 

The release of a PoC for CVE-2024-49112 significantly heightens the risk of exploitation. SafeBreach’s research underscores the vulnerability’s potential to compromise enterprise networks, including complete domain resource control or critical infrastructure disruption. With Microsoft’s patch available, organizations must prioritize patching and deploy monitoring strategies to safeguard against exploitation. For more information, refer to SafeBreach’s GitHub repository and detailed technical findings. 

References: 

• https://www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/ 

• https://cybersecuritynews.com/poc-windows-ldap-rce-vulnerability/  

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112  

• https://intruceptlabs.com/2024/12/microsoft-december-2024-patch-tuesday-critical-fixes-for-zero-day-and-remote-code-execution/