Alert essentials:

UPDATE: Proof-of-concept released!

The Windows Lightweight Directory Access Protocol (LDAP) client has three vulnerabilities, which, when chained together, result in complete system compromise.

An experienced hacker may use each flaw individually to elevate privileges and execute code. Patches are available and should be deployed immediately.

 

Email Team

 

Detailed threat description:

Update: Researchers released a proof-of-concept tool for crashing Windows Servers, called LDAPNightmare.

The exploit offers hackers low complexity and requires no privileges or user interaction. Providing execution of arbitrary code in the context of the LDAP Service, the only requirement for success with LDAPNightmare is internet connectivity to the DNS server of a Domain Controller (DC).

Exploiting this flaw could allow attackers to crash ALL unpatched Windows Servers, not just DCs.  Devices remain vulnerable if RPC is enabled with open ports, putting Internet-exposed servers at heightened risk.

Additionally, this exploit allows attackers direct access to the victim’s authentication protocols, facilitating Credential Access and expediting their malicious objectives.

Flaws in the Windows Lightweight Directory Access Protocol (LDAP) client can execute arbitrary code with full privileges on impacted devices.

These vulnerabilities impact a broad range of Windows operating systems and server versions going back to 2008.  Devices still under support received patches in the December 2024 patch Tuesday release.

CVE-2024-49112 could allow an unprivileged attacker to run arbitrary code on an Active Directory Server by sending a specialized set of LDAP calls to the server. This vulnerability affects LDAP clients and servers running an affected version of Windows.

A remote, unauthenticated attacker who successfully exploited this vulnerability would gain the ability to execute arbitrary code within the context of the LDAP service.

An unauthenticated attacker could send a specially crafted request that leverages a cryptographic protocol within Windows Kerberos to carry out a remote code execution using CVE-2024-49124. Eventually, the attacker can run code in the context of the SYSTEM account.

While CVE-2024-49127 doesn’t leverage a cryptographic protocol, it still allows threat actors to run code in the context of the SYSTEM account. When chained together, these vulnerabilities can allow code execution with unabridged permissions.

Deploy patches with caution, as administrators have experienced issues with self-service password resets (SSPR) involving Microsoft Entra Connect. Uninstalling the cumulative update does not roll back the patch’s changes, and SSPR remains broken.

If immediate patching is not an option, apply these mitigations temporarily until security patches can be deployed:

  • Disable unused LDAP services: If LDAP is not actively used, shut it down until the patch is applied
  • Restrict network access: Limit LDAP service access to specific, trusted IP ranges
  • Enable detailed logging: Monitor LDAP logs for any signs of unusual activity
  • Strengthen firewall rules: Block external access to LDAP services
  • Deploy intrusion detection systems (IDS/IPS): Implement IDS/IPS rules to detect LDAP exploit attempts
  • Audit LDAP traffic regularly: Conduct reviews of LDAP queries to detect suspicious patterns

 

Impacts on healthcare organizations:

An attacker could exploit these vulnerabilities to gain unauthorized access to a healthcare network’s systems, potentially compromising patient data and sensitive medical information.

Healthcare organizations must patch these vulnerabilities immediately and implement strong security measures to protect their networks.

 

Affected Products / Versions:

  • Windows 10 Versions 1507, 1607, 1809, 21H2, and 22H2
  • Windows 11 Versions 22H2, 22H3, 23H2, and 24H2
  • Windows Server 2008 Service Pack 2 (including Server Core installation)
  • Windows Server 2008 R2 Service Pack 1 (including Server Core installation)
  • Windows Server 2012 (including Server Core installation)
  • Windows Server 2012 R2

 

CVEs

  • CVE-2024-49113- CWE 125- CVSS 7.5- Denial of Service
  • CVE-2024-49112- CWE 190-CVSS 9.8- Remote Code Execution
  • CVE-2024-49124- CWE 362- CVSS 8.1- Remote Code Execution
  • CVE-2024-49127- CWE 416- CVSS 8.1- Remote Code Execution

KBs 
5048652, 5048653, 5048654, 5048661, 5048667, 5048671, 5048676, 5048685, 5048695, 5048699, 5048703, 5048710, 5048735, 5048744, 5048794, 5048800

 

Recommendations

Engineering recommendations:

  • In addition to applying the patches, Microsoft recommends that all Active Directory servers be configured to not accept Remote Procedure Calls (RPCs) from untrusted networks
  • After applying the patch, verify your LDAP service configurations to ensure everything functions correctly
  • Ensure that domain controllers are not configured to access the internet
  • Verify domain controllers and servers do not allow inbound RPC from untrusted networks
  • Regularly review logs and alerts for signs of exploitation attempts or unauthorized access, focusing on LDAP service activities
  • Reduce exposure by segmenting critical systems and restricting external access to LDAP services.
  • Run the POC tool to identify vulnerable Windows Server
  • Implement network monitoring to detect suspicious CLDAP referral responses, DsrGetDcNameEx2 calls, and DNS SRV queries

 

Leadership/ Program recommendations:

  • Ensure that security policies enforce the principle of least privilege, limiting user and service account permissions to the minimum necessary
  • Strengthen your network monitoring to detect suspicious activities and ensure your incident response plan is up to date to address potential security breaches promptly
  • Promote cybersecurity awareness among employees to prevent social engineering attacks that could exploit these vulnerabilities

 

References: