Full Report
Hot on the heels of the release of the first PoC exploit for a critical RCE vulnerability in the Windows LDAP, known as CVE-2024-49112, another vulnerability in the same software protocol in Windows environments is causing a stir. A discovery of CVE-2024-49113, a new denial-of-service (DoS) vulnerability, also known as LDAPNightmare, is hitting the headlines […] The post CVE-2024-49113 Detection: Windows LDAP Denial-of-Service Vulnerability aka LDAPNightmare Exploited via a Publicly Available PoC appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Windows LDAP Denial-of-Service Vulnerability (LDAPNightmare)
A Denial-of-Service (DoS) vulnerability exists in Windows LDAP services that allows an unauthenticated attacker to crash a server by sending a malicious CLDAP referral response.
## CVE Details
- CVE ID: CVE-2024-49113
- CVSS Score: 7.5 (High)
- CWE: Not explicitly listed in the context, but typically related to Improper Input Validation or Resource Management.
## Affected Systems
- Products: Windows OS (Desktop and Server editions)
- Versions: Windows 10, Windows 11, and Windows Server OS (prior to receiving necessary updates)
- Configurations: Systems running LDAP services, particularly Active Directory Domain Controllers.
## Vulnerability Description
The vulnerability, dubbed "LDAPNightmare," resides in how Windows handles Connectionless Lightweight Directory Access Protocol (CLDAP) referral responses. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted, malicious CLDAP referral response to the vulnerable system. Successful exploitation results in a Denial of Service, causing the affected server to crash.
## Exploitation
- Status: Exploited in the wild (The article notes the public disclosure of a PoC exploit on GitHub, increasing the potential for attacks.)
- Complexity: Low (Implied by the context suggesting broad threat potential following PoC release.)
- Attack Vector: Network (Relies on sending protocol responses over the network)
## Impact
- Confidentiality: Undetermined (Likely Low, as the primary documented impact is DoS)
- Integrity: Undetermined
- Availability: High (Directly leads to a server crash/Denial of Service)
## Remediation
### Patches
- Microsoft security updates addressing CVE-2024-49113 must be installed on Windows 10, Windows 11, and Windows Server OS installations. (Specific patches are implied by the existence of the vulnerability notice but not detailed in the provided context summary.)
### Workarounds
- No specific workarounds were detailed in the provided context summary. Securing Domain Controllers and limiting exposure of LDAP services are general security best practices.
## Detection
- Indicators of Compromise (IoCs): Monitoring network traffic for suspicious, malformed, or high volumes of CLDAP referral response packets directed toward LDAP services.
- Detection Methods and Tools: Security monitoring solutions capable of inspecting LDAP traffic or recognizing unusual server crashes correlated with external network activity targeting LDAP/LDAPS ports.
## References
- Vendor advisories: SonicWall Capture Labs team shedding light on the issue.
- Relevant links - defanged: hXXps://www.sonicwall.com/blog/windows-ldap-dos-vulnerability-cve-2024-49113-what-you-need-to-know-and-tips-for-staying-protected