Full Report
A critical Microsoft Windows Lightweight Directory Access Protocol (LDAP) vulnerability has been discovered, identified as CVE-2024-49112. The flaw has a CVSS severity score of 9.8, representing a major threat to enterprise networks.
Analysis Summary
# Vulnerability: Critical Microsoft Windows LDAP RCE/Crash (LDAP Nightmare)
## CVE Details
- CVE ID: CVE-2024-49112
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly stated, related to input validation/handling vulnerabilities in LDAP protocol implementation.
## Affected Systems
- Products: Microsoft Windows Server
- Versions: Unspecified, applies to unpatched Windows Server instances, especially those relying on Active Directory.
- Configurations: Systems using Lightweight Directory Access Protocol (LDAP).
## Vulnerability Description
A critical vulnerability exists in the Microsoft Windows LDAP implementation that allows for Remote Code Execution (RCE) or, at minimum, a Denial of Service (DoS) resulting in a system crash/reboot. The exploit chain leverages manipulation of DNS SRV queries and subsequent malicious Connection-less LDAP (CLDAP) referral responses (Step 7 in the attack flow) delivered to the victim server. This malicious response packet specifically targets and causes a crash in the Local Security Authority Subsystem Service (LSASS) on the target server.
## Exploitation
- Status: Zero-click Proof of Concept (PoC) exploit, named “LDAP Nightmare”, has been released.
- Complexity: Low (Zero-click nature of the PoC implies high exploitability).
- Attack Vector: Network (Requires victim's DNS server to have Internet connectivity).
## Impact
- Confidentiality: Potential for RCE allows for subsequent data exfiltration.
- Integrity: RCE allows for arbitrary code execution and privilege escalation.
- Availability: Direct impact via LSASS crash leading to forced server reboot and disruption of Domain Controller functions.
## Remediation
### Patches
- Apply Microsoft’s **December 2024 Patch Tuesday patches** immediately. (Specific patch numbers are not provided in the context).
### Workarounds
- Implement network segmentation to isolate critical systems and services (especially Domain Controllers) to limit the potential blast radius of an exploit.
## Detection
- **Indicators of Compromise:**
- Suspicious DNS SRV queries targeting LDAP servers.
- Observation of anomalous CLDAP referral responses directed toward the server.
- System events showing crashes or reboots related to the LSASS service.
- Network traffic capturing unexpected DsrGetDcNameEx2 calls related to the exploitation chain.
- **Detection methods and tools:**
- Monitor network traffic for outbound DNS queries followed by targeted inbound CLDAP responses.
- Perform regular security audits and penetration testing focused on AD infrastructure.
## References
- Vendor advisories: (Implied Microsoft Security Update information covering December 2024)
- Relevant links - defanged:
- hxxps://cybersecuritynews.com/poc-windows-ldap-rce-vulnerability/
- hxxps://medium.com/@scottbolen/ldap-nightmare-zero-click-exploit-cve-2024-49112-rocks-windows-servers-patch-now-d8d1170140b1
- hxxps://securityboulevard.com/2025/01/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/