Following our recent update regarding the LDAPNightmare vulnerability (CVE-2024-49112), we would like to update that the recently released Proof-of-Concept (PoC) is not related to CVE-2024-49112. This significantly reduces the likelihood of an RCE PoC being released.
In the meantime, we have published two new hunting queries for identifying outgoing LDAP queries to external IP Addresses and incoming RPC traffic towards domain controllers from external IP Addresses, Both being observed as possible exploitation activity of CVE-2024-49112.
Axon reports have also been published for Team Axon customers, including the updated list of deliverables.
We continue to monitor CVE-2024-49112 and will provide further updates as necessary. Should you have any questions regarding the queries or any other concerns, please don't hesitate to reach out.
Sincerely, Team Axon
Posted Jan 02, 2025 - 15:28 UTC
Investigating
Team AXON is monitoring the critical vulnerability affecting LDAP clients on Windows Domain Controllers. This flaw, identified as CVE-2024-49112, was published by Microsoft on December 10, 2024, with a CVSS severity score of 9.8 out of 10. Although Microsoft has disclosed the vulnerability, no public exploit or detailed blog post explaining the exploitation path was released initially.
We have recently observed the publication of a Proof-of-Concept related to this vulnerability. It’s important to note, the PoC is not yet fully developed and currently results in a denial-of-service (DoS) rather than remote code execution (RCE) which drastically reduced the impact of exploitation.
According to Microsoft, this vulnerability affects both LDAP clients and servers running impacted versions. To mitigate potential risks, we recommend: - Applying the latest security updates for Windows immediately to ensure protection. - If patching is not possible, restricting access by: - Blocking inbound RPC from untrusted networks to Domain Controllers. - Preventing external access to LDAP services.
Our team will provide updates after deeply analyzing and assessing the vulnerability, including potential deliverables. In case of identification of impacted customers, they will be notified directly.
For further assistance, please don't hesitate to contact us.