January 03, 2025 4m read

Cato CTRL Threat Brief: CVE-2024-49112 and CVE-2024-49113 – Windows LDAP Vulnerabilities (“LDAPBleed” and “LDAPNightmare”) 

Dolev Moshe Attiya
Matan Mittelman
Ronen Jaffa
Dolev Moshe Attiya , Matan Mittelman , Ronen Jaffa
LDAPNightmare or LDAPBleed? Cato Networks protects against the latest LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113)

Table of Contents

Wondering where to begin your SASE journey?

We've got you covered!
Listen to post:
Getting your Trinity Audio player ready...

Executive Summary 

In a world where dozens of CVEs are released every day, there are vulnerabilities, and there are vulnerabilities. The latest Microsoft Windows LDAP (Lightweight Directory Access Protocol) vulnerabilities, which were coined not once but twice (“LDAPBleed” and “LDAPNightmare”), clearly belong to the shortlist of new and dangerous CVEs.

CVE-2024-49112, a remote code execution (RCE) vulnerability known as “LDAPBleed”, and CVE-2024-49113, a Denial of Service (DoS) vulnerability known as “LDAPNightmare”, affect multiple Windows Server versions and were reported in December 2024 to Microsoft by security researcher Yuki Chen (@guhe120 on X). On January 1, 2025, the SafeBreach Labs research team published a Proof of Concept (PoC) that demonstrates how these vulnerabilities may be exploited. Cato CTRL has successfully replicated the exploitation chain and has developed protections to block this attack vector.

Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources. 

Q2 2024 Cato CTRL SASE Threat Report | Get the Report!

Technical Overview 

Affected Versions of Microsoft Windows

 

Windows Version Vulnerable Releases
Windows 10, 11 1809, 1903, 1909, 20H1, 20H2, 21H1, 21H2, 22H2, 23H2, 24H2
Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 2025 R2 to 23H2

Root Cause

The root cause of this vulnerability lies in an integer Out-of-Bounds Read in Windows LDAP, leading to RCE and DoS.

Vulnerability Overview

In December 2024, security researcher Yuki Chen identified and reported two critical vulnerabilities, CVE-2024-49112 (Windows LDAP RCE with a CVSS score of 9.8), and CVE-2024-49113 (Windows LDAP DOS with a CVSS score of 7.5), to the Microsoft Security Response Center (MSRC). These vulnerabilities target Microsoft’s built-in LDAP client, a cornerstone of Active Directory-based networks.

To better understand these vulnerabilities, let’s first recall the star of the show: LDAP is a core protocol for managing directory services. It is widely used in enterprise networks for centralized authentication, authorization, and resource management. It is integral to Active Directory (AD), enabling efficient querying and management of users, groups, and devices. Given its central role in identity and access management (IAM), any vulnerability in LDAP can be highly dangerous and potentially expose sensitive data or grant control to threat actors over critical systems, underscoring the need for robust security measures.

The SafeBreach PoC shows that the vulnerabilities exploit LDAP’s referral mechanism, a feature that redirects queries to appropriate directory services. By manipulating the LDAP referral response, which can be sent by an attacker controlled malicious LDAP server, the attacker can trigger an integer overflow in the targeted windows host. To get the targeted host to reach out to the malicious LDAP server, the exploit code first employs the Netlogon protocol (over DCE/RPC) to trigger the targeted host to send an LDAP request. The malicious LDAP server then delivers a crafted response, triggering the vulnerability.

Demo

Public Exploitation

No indications of exploitation attempts targeting Cato customers have been found so far. As demonstrated, Cato’s CTRL reproduced the vulnerability in our labs to determine whether the DoS works while finding it hard to achieve full RCE.

Conclusion

Many Windows servers are vulnerable to LDAPNightmare, a critical exploit targeting LDAP, with a public PoC readily available from SafeBreach. To mitigate risks, it is imperative to:

  • Apply patches released by Microsoft addressing these vulnerabilities immediately.
  • Keep devices and servers up to date with the latest security updates.
  • Implement best practices, such as blocking DCE/RPC and LDAP requests on outbound connections.

Staying current with updates and enforcing strong network security measures are crucial for safeguarding enterprise systems against potential threats.

Protections 

Cato CTRL has released protections to LDAPNightmare as we monitor this threat to determine possible exploitation avenues, how they meet existing prevention policies, and how they introduce new logic to address the issue specifically. 

Cato-deployed intrusion prevention system (IPS) signatures in the Cato SASE Cloud Platform block this attack, protecting all Cato-connected edges – sites, remote users, and cloud resources. 
 
We further strongly recommend blocking any DCE/RPC traffic directed into your network (inbound) from unknown hosts. A firewall can achieve this easily and should be a general best practice to reduce the attack surface on your Windows servers. 

Related Topics

Wondering where to begin your SASE journey?

We've got you covered!
Dolev Moshe Attiya

Dolev Moshe Attiya

Dolev Moshe Attiya is a seasoned Staff Cyber Security Engineer at Cato Networks. Member of Cato Ctrl. Specializing in threat analysis, research, and developing advanced countermeasures. With over five years of experience, Dolev plays a key role in fortifying Cato's security against emerging threats and CVEs, showcasing his commitment to excellence in the dynamic field of cybersecurity.

Read More
Matan Mittelman

Matan Mittelman

Matan Mittelman, Team leader of the Threats team, Cato Networks. Member of Cato Ctrl. He's responsible for analyzing, research and developing protections against emerging threats and CVEs. Matan brings more than seven years of experience leading cyber security teams.

Read More
Ronen Jaffa

Ronen Jaffa

Ronen Jaffa is a security engineer on Cato's security content team. Member of Cato Ctrl. He analyzes, researches, and develops protections against emerging threats and CVEs. Ronen brings more than 3 years of experience in cybersecurity threat protection with military background in IR and security research.

Read More