Tuesday, January 14, 2025

Posted by on

Micropatches Released for Windows "LDAPNightmare" Denial of Service Vulnerability (CVE-2024-49113)


December 2024 Windows Updates brought a patch for CVE-2024-49113 a.k.a. "LDAPNightmare", a denial of service vulnerability in Windows LDAP client code. The vulnerability allows an attacker to crash the LDAP client process after coercing it to connect to their malicious LDAP server; if the client process happens to be an important Windows service such as lsass.exe, its crashing would lead to computer reboot.

The vulnerability was discovered and reported to Microsoft by security researcher Yuki Chen. After Microsoft's patch was issued, researchers Or Yair and Shahak Morag of SafeBreach reversed it, recreated a proof of concept, and issued a detailed analysis.

These allowed us to reproduce the issue and create our own patches for it for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

The Vulnerability

The vulnerability allows a malicious LDAP server to cause an out-of-bounds read operation in the memory space of the client process on the remote computer when processing LDAP referral data. This crashes said process, which can range from insignificant (when connecting to attacker's computer with a command-line LDAP app) to serious (when attacker coerces an important server to connect to their LDAP server, getting the server to crash as described in the SafeBreach article).

 

Microsoft's Patch

Microsoft patched this issue by comparing the server-supplied referral "index" to the size of the referral table in function LdapChaseReferral (wldap32.dll).

Our Micropatch

Our patch is functionally identical to Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows 11 v21H2 - fully updated
  2. Windows 10 v21H2 - fully updated
  3. Windows 10 v21H1 - fully updated
  4. Windows 10 v20H2 - fully updated
  5. Windows 10 v2004 - fully updated
  6. Windows 10 v1909 - fully updated
  7. Windows 10 v1809 - fully updated
  8. Windows 10 v1803 - fully updated
  9. Windows 7 - fully updated without ESU, or with ESU 1, ESU 2 or ESU 3
  10. Windows Server 2012, Server 2012 R2 - fully updated without ESU
  11. Windows Server 2008 R2 - fully updated without ESU, or with ESU 1, ESU 2, ESU 3 or ESU 4
 
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank Or Yair and Shahak Morag of SafeBreach for sharing their analysis and proof-of-concept, which made it possible for us to create a micropatch for this issue. We'd also like to thank the original finder Yuki Chen.

To learn more about 0patch, please visit our Help Center.
No comments:
Subscribe to: Posts (Atom)