Cato CTRL Threat Brief: CVE-2024-49112 and CVE-2024-49113 – Windows LDAP Vulnerabilities (“LDAPBleed” and “LDAPNightmare”)
![LDAPNightmare or LDAPBleed? Cato Networks protects against the latest LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113)](https://www.catonetworks.com/wp-content/uploads/2025/01/LDAPNightmare-or-LDAPBleed_-blog.png)
Table of Contents
Listen to post:
Getting your Trinity Audio player ready...
|
Executive Summary
In a world where dozens of CVEs are released every day, there are vulnerabilities, and there are vulnerabilities. The latest Microsoft Windows LDAP (Lightweight Directory Access Protocol) vulnerabilities, which were coined not once but twice (“LDAPBleed” and “LDAPNightmare”), clearly belong to the shortlist of new and dangerous CVEs.
CVE-2024-49112, a remote code execution (RCE) vulnerability known as “LDAPBleed”, and CVE-2024-49113, a Denial of Service (DoS) vulnerability known as “LDAPNightmare”, affect multiple Windows Server versions and were reported in December 2024 to Microsoft by security researcher Yuki Chen (@guhe120 on X). On January 1, 2025, the SafeBreach Labs research team published a Proof of Concept (PoC) that demonstrates how these vulnerabilities may be exploited. Cato CTRL has successfully replicated the exploitation chain and has developed protections to block this attack vector.
Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.
Q2 2024 Cato CTRL SASE Threat Report | Get the Report!Technical Overview
Affected Versions of Microsoft Windows
Root Cause
The root cause of this vulnerability lies in an integer Out-of-Bounds Read in Windows LDAP, leading to RCE and DoS.
Vulnerability Overview
In December 2024, security researcher Yuki Chen identified and reported two critical vulnerabilities, CVE-2024-49112 (Windows LDAP RCE with a CVSS score of 9.8), and CVE-2024-49113 (Windows LDAP DOS with a CVSS score of 7.5), to the Microsoft Security Response Center (MSRC). These vulnerabilities target Microsoft’s built-in LDAP client, a cornerstone of Active Directory-based networks.
To better understand these vulnerabilities, let’s first recall the star of the show: LDAP is a core protocol for managing directory services. It is widely used in enterprise networks for centralized authentication, authorization, and resource management. It is integral to Active Directory (AD), enabling efficient querying and management of users, groups, and devices. Given its central role in identity and access management (IAM), any vulnerability in LDAP can be highly dangerous and potentially expose sensitive data or grant control to threat actors over critical systems, underscoring the need for robust security measures.
The SafeBreach PoC shows that the vulnerabilities exploit LDAP’s referral mechanism, a feature that redirects queries to appropriate directory services. By manipulating the LDAP referral response, which can be sent by an attacker controlled malicious LDAP server, the attacker can trigger an integer overflow in the targeted windows host. To get the targeted host to reach out to the malicious LDAP server, the exploit code first employs the Netlogon protocol (over DCE/RPC) to trigger the targeted host to send an LDAP request. The malicious LDAP server then delivers a crafted response, triggering the vulnerability.
Demo
Public Exploitation
No indications of exploitation attempts targeting Cato customers have been found so far. As demonstrated, Cato’s CTRL reproduced the vulnerability in our labs to determine whether the DoS works while finding it hard to achieve full RCE.
Conclusion
Many Windows servers are vulnerable to LDAPNightmare, a critical exploit targeting LDAP, with a public PoC readily available from SafeBreach. To mitigate risks, it is imperative to:
- Apply patches released by Microsoft addressing these vulnerabilities immediately.
- Keep devices and servers up to date with the latest security updates.
- Implement best practices, such as blocking DCE/RPC and LDAP requests on outbound connections.
Staying current with updates and enforcing strong network security measures are crucial for safeguarding enterprise systems against potential threats.
Protections
Cato CTRL has released protections to LDAPNightmare as we monitor this threat to determine possible exploitation avenues, how they meet existing prevention policies, and how they introduce new logic to address the issue specifically.
Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources.
We further strongly recommend blocking any DCE/RPC traffic directed into your network (inbound) from unknown hosts. A firewall can achieve this easily and should be a general best practice to reduce the attack surface on your Windows servers.