Alert essentials:

The Windows Lightweight Directory Access Protocol (LDAP) client has three vulnerabilities, which, when chained together, result in complete system compromise.

An experienced hacker may use each flaw individually to elevate privileges and execute code. Patches are available and should be deployed immediately.

 

Email Team

 

Detailed threat description:

Three remote code execution flaws in the Windows Lightweight Directory Access Protocol (LDAP) client are responsible for executing arbitrary code with full privileges on impacted devices.

These vulnerabilities impact a broad range of Windows operating systems and server versions going back to 2008. Devices still under support received patches in the December 2024 patch Tuesday release.

CVE-2024-49112 could allow an unprivileged attacker to run arbitrary code on an Active Directory Server by sending a specialized set of LDAP calls to the server. This vulnerability affects LDAP clients and servers running an affected version of Windows.

A remote, unauthenticated attacker who successfully exploited this vulnerability would gain the ability to execute arbitrary code within the context of the LDAP service.

An unauthenticated attacker could send a specially crafted request that leverages a cryptographic protocol within Windows Kerberos to execute remote code using CVE-2024-49124. Eventually, the attacker can run code in the context of the SYSTEM account.

While CVE-2024-49127 doesn’t leverage a cryptographic protocol, it still allows threat actors to run code in the context of the SYSTEM account.

When chained together, these three vulnerabilities can allow code execution with unabridged permissions. While no public exploits have been detected yet, security experts anticipate that active exploitation could occur soon due to the ease of exploitation and the significant risk these vulnerabilities pose to enterprise environments. Therefore, patches must be applied as soon as possible.

 

Impacts on healthcare organizations:

An attacker could exploit these vulnerabilities to gain unauthorized access to a healthcare network’s systems, potentially compromising patient data and sensitive medical information.

Healthcare organizations must patch these vulnerabilities immediately and implement strong security measures to protect their networks.

 

Affected Products / Versions:

  • Windows 10 Versions 1507, 1607, 1809, 21H2, and 22H2
  • Windows 11 Versions 22H2, 22H3, 23H2, and 24H2
  • Windows Server 2008 Service Pack 2 (including Server Core installation)
  • Windows Server 2008 R2 Service Pack 1 (including Server Core installation)
  • Windows Server 2012 (including Server Core installation)

 

CVEs

  • CVE-2024-49112 – CWE 190-CVSS 9.8 – Remote Code Execution
  • CVE-2024-49124 – CWE 362- CVSS 8.1 – Remote Code Execution
  • CVE-2024-49127 – CWE 416- CVSS 8.1 – Remote Code Execution

 

KBs

5048652, 5048653, 5048654, 5048661, 5048667, 5048671, 5048676, 5048685, 5048695, 5048699, 5048703, 5048710, 5048735, 5048744, 5048794, 5048800

 

Recommendations

Engineering recommendations:

  • In addition to applying the patches, Microsoft recommends that all Active Directory servers be configured to not accept Remote Procedure Calls (RPCs) from untrusted networks
  • Ensure that domain controllers are not configured to access the internet
  • Verify domain controllers and servers do not allow inbound RPC from untrusted networks
  • Regularly review logs and alerts for signs of exploitation attempts or unauthorized access, focusing on LDAP service activities

 

Leadership/ Program recommendations:

  • Ensure that security policies enforce the principle of least privilege, limiting user and service account permissions to the minimum necessary
  • Strengthen your network monitoring to detect suspicious activities and ensure your incident response plan is up to date to address potential security breaches promptly
  • Promote cybersecurity awareness among employees to prevent social engineering attacks that could exploit these vulnerabilities

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: