A critical Microsoft Windows Lightweight Directory Access Protocol (LDAP) vulnerability has been discovered, identified as CVE-2024-49112. The flaw has a CVSS severity score of 9.8, representing a major threat to enterprise networks. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate your risk.
What is the threat?
A zero-click Proof of Concept (PoC) exploit, threateningly named “LDAP Nightmare”, has been released for CVE-2024-49112. It is capable of crashing any unpatched Windows Server (not limited to domain controllers), requiring only the victim’s DNS server to have Internet connectivity. This critical Windows Server vulnerability poses a significant threat to enterprise networks, especially those relying on Active Directory (AD) for authentication and management. The exploit enables Remote Code Execution (RCE) without authentication using weaknesses in Lightweight Directory Access Protocol (LDAP) communications.
The PoC attack flow is as follows:
- The attacker sends a DCE/RPC request to the victim’s server machine.
- The victim queries the attacker’s DNS server for information.
- The attacker’s DNS server responds with the attacker’s hostname machine and LDAP port.
- The victim sends a broadcast NBNS request to find the IP address of the received hostname (of the attacker’s).
- The attacker sends an NBNS response with its IP address.
- The victim becomes an LDAP client and sends a CLDAP request to the attacker’s machine.
- The attacker sends a CLDAP referral response packet with a specific value resulting in LSASS crashing and forcing a reboot of the victim server.
Why is this noteworthy?
The exploit starts with DNS SRV queries to locate the domain’s LDAP servers. Malicious actors manipulate NetBIOS and Connection-less LDAP (CLDAP) responses to gain a foothold in communication with the target server. By culminating with the delivery of malicious LDAP referral responses, the attacker can cause the LSASS (Local Security Authority Subsystem Service) to crash, allowing attackers to bypass authentication and execute arbitrary code remotely, causing significant disruption to unpatched systems.
What is the exposure or risk?
The release of this zero-click PoC highlights the serious threat this vulnerability poses to enterprise environments. The LSASS crash can render Domain Controllers inoperative, disrupting authentication and access to resources. Additionally, it enables attackers with a foothold to escalate privileges and launch further attacks.
Organizations that rely heavily on Active Directory are at significant risk, with potential consequences including downtime, data breaches, and lateral movement by adversaries.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this vulnerability:
- Apply Microsoft’s December 2024 Patch Tuesday patches immediately.
- Monitor for suspicious DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls until patching is complete.
- Implement network segmentation to isolate critical systems and services to limit the potential impact of an exploit.
- Conduct regular security audits and penetration testing to identify and remediate vulnerabilities in your environment.
References
For more in-depth information about the recommendations, please visit the following links:
- https://cybersecuritynews.com/poc-windows-ldap-rce-vulnerability/
- https://medium.com/@scottbolen/ldap-nightmare-zero-click-exploit-cve-2024-49112-rocks-windows-servers-patch-now-d8d1170140b1
- https://securityboulevard.com/2025/01/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.
