What We Know About CVE-2024-49112 and CVE-2024-49113

In December 2024, two Windows Lightweight Directory Access Protocol (LDAP) vulnerabilities were identified by independent security researcher Yuki Chen: CVE-2024-49112, a remote code execution (RCE) flaw with a 9.8 CVSS score, and CVE-2024-49113, a denial-of-service (DoS) flaw with a 7.5 CVSS score. 

This blog entry provides an overview of these two vulnerabilities and includes information that IT and SOC professionals need to know. 

How attackers can exploit CVE-2024-49112

According to Microsoft, a remote unauthenticated attacker who successfully exploited CVE-2024-49112 would gain the ability to execute arbitrary code within the context of the LDAP service. Successful exploitation, however, is dependent upon what component is targeted. 

To succeed in exploiting a domain controller for an LDAP server, an attacker must send specially crafted Remote Procedure Call (RPC) calls to the target to trigger a lookup of the attacker’s domain to be performed.

To succeed in exploiting an LDAP client application, an attacker must trick the victim into performing a domain controller lookup for the attacker’s domain or into connecting to a malicious LDAP server. Unauthenticated RPC calls, however, would not succeed. 

How attackers can exploit CVE-2024-49113

SafeBreach Labs has published a proof-of-concept (PoC) exploit for CVE-2024-49113, codenamed LDAPNightmare. The PoC is designed to crash any unpatched Windows Server with no pre-requisites except that the DNS server of the victim domain controller has internet connectivity. 

The attack flow starts with sending a DCE/RPC request to the victim server, causing the Local Security Authority Subsystem Service (LSASS) to crash and force a reboot when an attacker sends a specially crafted Connectionless Lightweight Directory Access Protocol (CLDAP) referral response packet.

SafeBreach Labs has also found that the same exploit chain could be used to achieve RCE via CVE-2024-49112 by modifying the CLDAP packet. 

Which Windows versions are affected

Multiple Windows versions are affected by the two vulnerabilities.  Refer to the following MRSC pages to learn about the list of affected versions:  

How to protect against CVE-2024-49112 and CVE-2024-49113 exploitation

Both vulnerabilities have been patched by Microsoft as part of its Patch Tuesday updates for December 2024. It is imperative that organizations apply these patches immediately to be protected against attackers who may exploit these vulnerabilities to compromise their systems.  

Trend Micro customers can take advantage of Trend Vision One™ to stay up to date on the latest information on these vulnerabilities. Trend Vision One offers several post-exploitation detections and remediation technologies that can be used by customers to investigate and help with potential remediation in their environment. To learn more, visit Trend’s Knowledge Base article.

Trend customers can also access a range of Intelligence Reports and Threat Insights within Trend Vision One. Threat Insights helps customers stay ahead of cyber threats before they happen and be better prepared for emerging threats. It offers comprehensive information on threat actors, their malicious activities, and the techniques they use. Trend customers can access the Emerging Threats report for the LDAPNightmare PoC here: Critical LDAP Vulnerability (CVE-2024-49113) PoC Released

Furthermore, organizations should consider implementing the following best practices for general vulnerability exploit protection: 

• Patch management: Regularly updating and patching software, operating systems, and applications is the most effective method of preventing vulnerabilities from being exploited.
• Network segmentation: Isolating critical network segments from the broader network can reduce the impact of exploit-based attacks. 
• Regular security audits: Conducting security audits and vulnerability assessments can help uncover and address weaknesses in the infrastructure before they are exploited.
• Incident response plan: Creating, testing, and maintaining an incident response plan helps organizations respond swiftly and effectively to security breaches and exploit attempts.

Read More HERE