0-Click DoS Exploit Found in Windows LDAP (CVE-2024-49113)

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

A new vulnerability in Microsoft’s implementation of LDAP (Lightweight Directory Access Protocol) could allow attackers to crash domain controllers with a 0-click denial-of-service (DoS) attack.

A public proof-of-concept (POC) is already available. If you run Windows Server 2019 or 2022, this is a patch-now situation.

---

What’s the Vulnerability?

In December 2024, Microsoft released security updates addressing two critical LDAP-related flaws:

• CVE-2024-49113 — LDAP information leak / DoS (POC is public)
• CVE-2024-49112 — LDAP remote code execution (no POC available yet)

Researchers demonstrated a working exploit for CVE-2024-49113 that requires no user interaction. Once triggered, the vulnerable server crashes—impacting LSASS (Local Security Authority Subsystem Service), a core component responsible for handling authentication and policies in Active Directory environments.

---

Vulnerability Details

CVE-2024-49113 results from an integer overflow bug in the LDAP client logic of Windows. An attacker can craft a malicious LDAP/CLDAP response that triggers the flaw when the server connects to it—causing LSASS to crash and rendering the system unusable.

This can happen even without authentication, making it extremely dangerous for public-facing servers or poorly segmented internal environments.

Key Impact:

• Triggers crash in LSASS, which is essential for domain controller operations.
• Leads to system reboot, affecting entire domain stability.
• Exploitable via anonymous remote calls under default settings.

---

Risk Summary

---

Real-World Exploit Conditions

To trigger the exploit successfully:

1. The attacker must be able to initiate RPC calls to the target server (typically internal network).
2. The target server’s DNS must be able to resolve public domains (used for redirecting to attacker’s LDAP).
3. The attacker hosts a malicious LDAP or CLDAP server to deliver the crafted response.

Possible Scenarios:

• Internal Network Exploits: Common in lateral movement or post-initial-compromise scenarios.
• Internet-Facing DCs (rare but high risk): If domain controllers are exposed and can reach DNS, attackers may exploit them without internal access.

---

Affected Versions

Refer to Microsoft’s official security guide for full version list:

🔗 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49113

---

Mitigation & Fix

Official Patch

Microsoft addressed the issue in the December 2024 security update. Apply the patch immediately via:

🔗 CVE-2024-49113 Security Advisory

---

Temporary Workarounds (if you can’t patch yet)

1. Restrict Anonymous RPC
   
   Use Group Policy or a firewall to block unauthenticated RPC traffic to domain controllers.

2. Monitor and Filter Suspicious Traffic
   
   Deploy IDS/IPS rules to detect outbound LDAP queries to unknown domains, and block abnormal CLDAP responses.

3. Limit External DNS Lookups
   
   Prevent domain controllers from making DNS queries to the internet unless absolutely necessary.

---

Timeline

---

References

• SafeBreach PoC
• GitHub – CVE-2024-49113 POC
• Microsoft Security Advisory

---

Stay safe — Patch early, monitor traffic, and make sure your domain controllers aren't exposed to the internet unnecessarily.

If you're using SafeLine WAF, it can help detect and block suspicious LDAP-related behavior across your internal services.

• GitHub Repository
• Official Docs
• Discord Community