Windows LDAP Remote Code Execution Vulnerability

Windows LDAP Remote Code Execution Vulnerability

CVE-2024-49112 is a Critical RCE vulnerability affecting the Windows LDAP Client with a CVSS score of 9.8. This vulnerability could allow an unprivileged attacker to run arbitrary code on an Active Directory Server by sending a specialized set of LDAP calls to the server.

Microsoft recommends that all Active Directory servers be configured to not accept Remote Procedure Calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the significant risk this vulnerability poses to the Active Directory environment, it should be mitigated and patched quickly.

Affected Systems

-

IoC’s

-

Recommended Solution(s)

• Is there any action a customer can take to protect against this vulnerability if they are unable to apply the update? Ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks. While either mitigation will protect your system from this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability.
• RPC and LDAP are published externally through SSL. What does this mitigation mean in the context of external network connectivity? Applying the mitigations will decrease the risk of an attacker successfully convincing or tricking a victim into connecting to a malicious server. If a connection is made, the attacker could send malicious requests to the target over SSL.

Mitigations

-

CVE / CWE

CVE-2024-49112

Related Website(s)

• https://nvd.nist.gov/vuln/detail/CVE-2024-49112
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49112

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.