Threat Actor: Unknown | unknown
Victim: Microsoft Windows Servers | Microsoft Windows Servers
Key Point :
- SafeBreach has developed exploit code for CVE-2024-49113, which can crash unpatched Windows Servers.
- The vulnerability can be exploited through a series of crafted requests that lead to a crash of the Local Security Authority Subsystem Service (LSASS).
- Microsoft has urged administrators to disconnect Domain Controllers from the internet to mitigate risks associated with the critical RCE flaw (CVE-2024-49112).
- Any unpatched Windows server, not just Domain Controllers, is vulnerable to this exploit.
- Administrators are advised to apply patches released on December 10 to address over 70 vulnerabilities, including this one.
SafeBreach has published proof-of-concept (PoC) exploit code targeting a recently resolved denial-of-service (DoS) vulnerability in Windows Lightweight Directory Access Protocol (LDAP).
The issue, tracked as CVE-2024-49113 (CVSS score of 7.5), was patched on December 10 along with a critical remote code execution (RCE) flaw in LDAP (CVE-2024-49112, CVSS score of 9.8).
Neither of the defects has been marked as exploited, but Microsoft warned that the RCE bug could allow unauthenticated attackers to execute arbitrary code using crafted LDAP calls, urging administrators to disconnect Domain Controllers from the internet to mitigate exposure.
SafeBreach, however, suggests that the DoS vulnerability should be given the same level of attention, as it can be exploited to crash unpatched Windows Server deployments if the DNS server of the target Domain Controller is connected to the internet.
The cybersecurity company, which provides a breach and attack simulation platform, has devised exploit code targeting CVE-2024-49113, but it could potentially be used against the RCE bug as well, with small modifications.
The attack flow starts with a DCE/RPC request to the target server, which responds with a DNS SRV query. After the attacker’s machine sends a DNS server response containing the hostname and LDAP port, the victim sends a broadcast NBNS request for the machine’s IP address and, after receiving the IP address, it becomes an LDAP client and sends a CLDAP request to the attacker.
Finally, the attacker sends a crafted CLDAP referral response packet that crashes the Local Security Authority Subsystem Service (LSASS) process and forces the victim server to reboot.
“We believe this same attack vector may be leveraged to achieve an RCE; the entire chain noted above, including the first six steps, should be similar, but the last CLDAP packet sent should be modified,” SafeBreach notes.
The cybersecurity firm points out that any unpatched Windows server, including those that are not Domain Controllers, can be crashed using this exploit, and that attackers could potentially achieve RCE afterwards.
SafeBreach says that CVE-2024-49113 is an integer overflow defect in wldap32.dll, a library that implements the LDAP client logic, and that its PoC code does not work against patched servers.
“While our research focused on the testing of a Windows Server 2022 (DC) and Windows server 2019 (non-DC), we believe this exploit path and PoC are applicable for any Windows Server version until the patch point,” the company notes.
Administrators are advised to apply the available patches as soon as possible. On December 10, Microsoft released fixes for over 70 vulnerabilities, including an exploited Windows zero-day.
Related: Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets
Related: The Perilous Role of the CISO: Navigating Modern Minefields
Related: Critical Flaw in Jabber for Windows Could Lead to Code Execution
Related: Organizations Warned of Attacks Exploiting WSO2 Vulnerability