Full Report
A proof-of-concept (PoC) exploit has been released for a now-patched security flaw impacting Windows Lightweight Directory Access Protocol (LDAP) that could trigger a denial-of-service (DoS) condition. The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS score: 7.5). It was addressed by Microsoft as part of Patch Tuesday updates for December 2024, alongside CVE-2024-49112 (
Analysis Summary
# Vulnerability: Windows LDAP Out-of-Bounds Read Leading to DoS (LDAPNightmare)
## CVE Details
- CVE ID: CVE-2024-49113
- CVSS Score: 7.5 (High)
- CWE: Out-of-bounds Read (Implicit, based on description)
## Affected Systems
- Products: Windows Server (Specifically mentioning Domain Controllers running LDAP services)
- Versions: Unpatched versions prior to December 2024 Patch Tuesday.
- Configurations: Requires the victim Domain Controller's DNS server to have Internet connectivity for the exploit to function as described.
## Vulnerability Description
CVE-2024-49113 is a security flaw in the Windows Lightweight Directory Access Protocol (LDAP) implementation, described as an out-of-bounds read vulnerability. An attacker can exploit this by sending a specifically crafted DCE/RPC request. In the context of a Domain Controller (DC), this crafted request, delivered via a specially modified CLDAP referral response packet, causes the Local Security Authority Subsystem Service (LSASS) to crash, resulting in a denial-of-service (DoS) condition equivalent to a system reboot. This vulnerability was reported concurrently with CVE-2024-49112, a related RCE flaw.
## Exploitation
- Status: PoC available (LDAPNightmare, released by SafeBreach Labs)
- Complexity: Low (Implied by PoC release and low prerequisites)
- Attack Vector: Network
## Impact
- Confidentiality: Unknown (Not explicitly detailed for CVE-2024-49113 specifically, but related RCE vulnerability suggests potential compromise)
- Integrity: High (LSASS crash/System Reboot - Denial of Service)
- Availability: High (System crash/reboot of Domain Controllers)
## Remediation
### Patches
- Microsoft released fixes as part of the December 2024 Patch Tuesday updates for CVE-2024-49113. (Specific patch versions are not detailed in the article, users must consult Microsoft advisory).
### Workarounds
- No explicit workarounds are listed in the article beyond applying the official patch.
## Detection
- Indicators of compromise: System crashes or unexpected reboots on Windows Domain Controllers where the LSASS process terminates unexpectedly, potentially following network traffic containing unexpected DCE/RPC or CLDAP responses.
- Detection methods and tools: Monitoring network traffic for malformed DCE/RPC requests targeted at LDAP ports on Domain Controllers. Monitoring system logs for LSASS crashes following such activity.
## References
- Vendor Advisories: Microsoft security advisory for CVE-2024-49113 (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49113)
- Exploit/Research Links:
- SafeBreach Labs PoC release (defanged): github.com/SafeBreach-Labs/CVE-2024-49113
- SafeBreach Labs detailed analysis (defanged): www.safebreach.com/blog/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49113/
- Microsoft Patch Tuesday information referencing related CVE (defanged): thehackernews.com/2024/12/microsoft-fixes-72-flaws-including.html