Any Microsoft server can crash due to an unpatched Active Directory flaw.

Microsoft addressed two serious Active Directory Domain Controller vulnerabilities last month, one of which may be exploited to crash several unpatched Windows servers simultaneously and extend beyond the initial denial-of-service (DoS) attack chain. Experts worry that a lot of firms are still at risk.

SafeBreach researchers have compiled an analysis of the DoS vulnerability, identified as CVE-2024-49113. This vulnerability was found in Active Directory's Lightweight Directory Access Protocol (LDAP), which is used to search the databases. It was found alongside a related remote control execution (RCE) flaw, tagged as CVE-2024-49112, which has a CVSS score of 9.8. The Microsoft security update from December included patches for both. Despite the seriousness and the consequences of the LDAP issues, Microsoft hasn't disclosed many specifics, which is why SafeBreach claimed it chose to conduct further research.

"LDAP is the protocol that workstations and servers in Microsoft's Active Directory use to access and maintain directory services information," the study from SafeBreach stated. Further examination of the DoS LDAP problem revealed that provided the target system's domain controller had a DNS server up, the attack chain may be utilized by a threat actor to accomplish RCE and, worse, to bring down any Windows server.

The Significance Of The Microsoft LDAP Vulnerability

According to Tal Be'ery, chief technology officer and co-founder of Zengo Wallet, the vulnerability was present in all Windows Server-based organizations until December's Patch Tuesday update. Thus, the query is, how many of these companies patched every system and primarily domain controllers?" he adds.

Although there is currently no proof that the vulnerability is being used in the wild, Be'ery cites PatchPoint's distribution of exploit code as a warning to potential attackers. "We assume that such code is already being used, but we don't have any positive evidence for it yet," he states.

To get to the major prize, which is the domain controller loaded with credentials, threat actors usually have to make their way from a single compromised device through a maze that Be'ery likens to a Chutes and Ladders game. The time that these hackers spend attempting to get further access to the system gives defenders the chance to thwart the cyberattack before it gets out of control.

"With this LDAP vulnerability hackers can go immediately straight from square 1 to 100 [domain controllers] before defenders can respond," he states. The SafeBreach study also verified that Microsoft's December 2024 updates work, therefore administrators are advised to apply the patches right away to all domain controllers and Windows servers. If servers cannot be patched, Be'ery advises defense teams to "use compensating controls such as LDAP and RPC firewalls to block the exploit of this vulnerability."