Table of Contents
Vulnerability
LDAPNightmare, identified as CVE-2024-49113, is a denial-of-service (DoS) vulnerability in Microsoft’s Lightweight Directory Access Protocol (LDAP) affecting various Windows versions. Discovered in December 2024 by security researcher Yuki Chen, this flaw allows remote, unauthenticated attackers to crash the Local Security Authority Subsystem Service (LSASS) on unpatched Windows servers, leading to system reboots. CVE-2024-49112 allows remote, unauthenticated attackers to execute arbitrary code within the context of the LDAP service by sending specially crafted Remote Procedure Call (RPC) requests.
On January 1, 2025, SafeBreach Labs released a proof-of-concept (PoC) exploit demonstrating how an attacker can crash any unpatched Windows Server by sending a specially crafted Connectionless LDAP (CLDAP) referral response packet. The PoC can be found here: https://github.com/SafeBreach-Labs/CVE-2024-49113
Microsoft addressed CVE-2024-49112 in its December 2024 Patch Tuesday updates. Organizations are strongly advised to apply these patches immediately to protect their systems from potential exploitation.
Detection
On January 8th, 2025; A pull request was opened for the Sigma Github repo which contained a potential detection opportunity. This Sigma focused on the crashing of the LSASS process involving WLDAP32.dll in the Windows Application Log (Event ID 1000).
This pull request can be found here: https://github.com/SigmaHQ/sigma/pull/5155
Mitigation
Apply the updates and patches provided by Microsoft in the December 2024 Path Tuesday release. Also, Configure Extended Protection for Authentication (EPA) for LDAP, as recommended by Microsoft. This adds additional security layers to prevent exploitation.
This post will be updated as more information becomes available throughout the coming days.
