Vulnerable internet-exposed Windows Server instances and domain controllers could crash and be rebooted through a new proof-of-concept exploit for the already patched high-severity Lightweight Directory Access Protocol denial-of-service flaw dubbed LDAPNightmare and tracked as CVE-2024-49113, reports Security Affairs.
Only internet connectivity is required to facilitate the compromise, which commences with the delivery of a CLDAP referral response packet to disrupt the Local Security Authority Subsystem Service before the subsequent sending of a DCE/RPC request to the targeted machine and the eventual designation of the victim's machine as an LDAP client that requests for CLDAP from the attacker's machine, according to SafeBreach researchers, who developed the PoC exploit. "We also believe that this will make exploitation of CVE-2024-49112 more likely in the near future, so we recommend patching both vulnerabilities," said researchers, who also urged improved identification of suspicious DNS SRV queries, CLDAP referral responses, and DsrGetDcNameEx2 calls among organizations that could not immediately apply the issued patches.
