CVE-2024-49113 Detection: Windows LDAP Denial-of-Service Vulnerability aka LDAPNightmare Exploited via a Publicly Available PoC

Hot on the heels of the release of the first PoC exploit for a critical RCE vulnerability in the Windows LDAP, known as CVE-2024-49112, another vulnerability in the same software protocol in Windows environments is causing a stir. A discovery of CVE-2024-49113, a new denial-of-service (DoS) vulnerability, also known as LDAPNightmare, is hitting the headlines followed by the news of the release of its publicly accessible PoC. Once exploited, CVE-2024-49113 can disrupt the LDAP service, potentially causing service outages and enabling DoS attacks. Both CVE-2024-49112 and CVE-2024-49113 are considered critical due to LDAP’s broad use within Windows systems.

Detect CVE-2024-49113 aka LDAPNightmare Exploitation Attempts

As the primary database for managing users, computers, and resources in enterprise networks, Active Directory has long been a key component of organizational infrastructure, making it a prime target for cybercriminals. With recent estimates showing that Active Directory is involved in up to 90% of cyberattacks, security professionals must have access to reliable detection content to swiftly respond to threats like LDAPNightmare.

Rely on SOC Prime Platform for collective cyber defense to obtain curated detection content on any active threat, backed by a complete product suite for advanced threat detection and hunting. By pressing the Explore Detections button below, you can immediately access the detection stack addressing CVE-2024-49113 exploitation attempts. 

Explore Detections

All the rules are compatible with 30+ SIEM, EDR, and Data Lake technologies, mapped to the  MITRE ATT&CK® framework, and enriched with detailed metadata, including attack timelines, threat intel references, and audit configuration tips. 

CVE-2024-49113 aka LDAPNightmare Analysis

The SonicWall Capture Labs team has recently shed light on a new DoS vulnerability known as  CVE-2024-49113, aka LDAPNightmare, with a CVSS score of 7.5. 

If Windows 10, 11, and Windows Server OS are not updated with the patches, an unauthenticated attacker can potentially crash the server by sending a malicious CLDAP (Connectionless Lightweight Directory Access Protocol) referral response. Given LDAP’s critical role in Active Directory Domain Controllers, vulnerabilities in the protocol can present significant security risks. The public disclosure of a PoC exploit on GitHub has increased the potential for CVE-2024-49113 attacks.

In addition to the risks of CVE-2024-49113 exploitation, attackers introduce further threats. Trend Micro researchers have also issued a warning regarding a fake PoC exploit for LDAPNightmare, intended to deceive defenders into downloading and executing information-stealing malware.

The CVE-2024-49113 exploit targets the DCE/RPC mechanism to access vulnerable functionality. The infection chain begins with a DCE/RPC bind request to the Windows server, followed by a DsrGetDcNameEx2 request containing the client’s domain name. The server then performs a DNS SRV query to identify the target LDAP server and establish a connection. The DNS response provides the LDAP server’s hostname and port, prompting the Windows server to send a CLDAP request to the targeted instance.

The vulnerability stems from an out-of-bounds read flaw in the LdapChaseReferral function of wldap32.dll. This function redirects clients when the original LDAP server cannot fulfill a request. As a result, CVE-2024-49113 exploitation gives a remote attacker the green light to cause a denial of service on the server.

Weaponizing the LDAPNightmare vulnerability requires the target to be an Active Directory Domain Controller with netlogon running. The attacker should have network access to send a DsrGetDcNameEx2 request with an adversary-owned domain, control the DNS response, and send a malformed referral, finally leading to a system reboot.

As potential CVE-2024-49113 mitigation measures to reduce the risks of exploitation, on December 10, 2024, Microsoft released a security advisory prompting users to update their systems to the latest patched version. If immediate updates cannot be applied, defenders also recommend applying temporary workarounds, such as blocking internet connectivity for domain controllers or disabling inbound RPC from untrusted networks. In addition, organizations are recommended to set up detections to monitor for suspicious CLDAP referral responses (with a specific malicious value), unusual DsrGetDcNameEx2 calls, and abnormal DNS SRV queries. SOC Prime Platform for collective cyber defense provides progressive organizations with a cutting-edge product suite for advanced threat detection, automated threat hunting, and intelligence-driven detection engineering to smartly outscale cyber threats and elevate proactive defenses against vulnerability exploitation.