Unpatched Active Directory Flaw Can Crash Any Microsoft Server

One of two critical Active Directory Domain Controller vulnerabilities patched by Microsoft last month goes beyond the original denial-of-service (DoS) attack chain and can be used to crash multiple, unpatched Windows servers at once. And experts are concerned many organizations remain vulnerable.

Researchers at SafeBreach have put together an analysis of the DoS bug, tracked as CVE-2024-49113. This vulnerability, along with a similar remote control execution (RCE) bug, tracked as CVE-2024-49112, with a CVSS score of 9.8, was discovered in Active Directory's Lightweight Directory Access Protocol (LDAP) used to search the databases. Both were patched in December's Microsoft security update.

Microsoft hasn't provided many details about the LDAP flaws, despite their severity and potential impact, which is why SafeBreach said it decided to dig deeper and find out more.

"LDAP is the protocol that workstations and servers in Microsoft's Active Directory use to access and maintain directory services information," the SafeBreach report explained.

Additional analysis of the DoS LDAP bug showed the attack chain could also be used by a threat actor to achieve RCE but, worse yet, could be exploited to crash any Windows server, as long as the target system's domain controller has a DNS server connected to the Internet.

Why The Microsoft LDAP Flaw Is So Dangerous

Prior to December's Patch Tuesday update, every single organization running Windows Servers was vulnerable to the flaw, Tal Be'ery, chief technology officer and co-founder of Zengo Wallet, explains.

"So the question is, how many of these organizations patched all of their systems and mainly domain controllers?" he adds.

There's no indication yet the vulnerability is being exploited in the wild, but Be'ery points to PatchPoint's release of exploit code as a signal to threat actors.

"We assume that such code is already being used, but we don't have any positive evidence for it yet," he adds.

Threat actors typically have to work their way from a single, hacked device through what Be'ery compares to a Chutes and Ladders game-like maze, ultimately hopping their way from one compromise to the big prize — the domain controller stuffed full of credentials. It's the time these hackers spend trying to work their way deeper into the system that affords defenders opportunities to stop the cyberattack before it escalates.

"With this LDAP vulnerability hackers can go immediately straight from square 1 to 100 [domain controllers] before defenders can respond," he adds.

The SafeBreach research also confirmed Microsoft's December 2024 patches are effective, so administrators are urged to patch Windows Servers and all domain controllers immediately.

If servers can't be patched, Be'ery recommends defenders "use compensating controls such as LDAP and RPC firewalls to block the exploit of this vulnerability."