cbeek-r7 (185)

CVE-2024-49112 is a critical vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service. It is classified as a remote code execution (RCE) flaw with a CVSS score of 9.8, making it a significant threat. Exploitation could allow attackers to execute arbitrary code on vulnerable systems, potentially leading to full system compromise.

This vulnerability is caused by an integer overflow within the LDAP service. Attackers can exploit the flaw by sending specially crafted Remote Procedure Call (RPC) requests to the target server. Successful exploitation enables arbitrary code execution in the context of the LDAP service, which often runs with elevated privileges. The flaw can be exploited remotely without authentication, making it particularly dangerous for internet-facing systems.

Looking at the image that was posted on X by @Madmodsec (https://x.com/MacmodSec/status/1867450280956018819/photo/1) it looks like the vulnerability in the unpatched wldap32.dll stems from insufficient validation of the referral index (v26), potentially leading to out-of-bounds reads or writes during referral handling. The patched version mitigates this by introducing a boundary check (EvaluateCurrentState), ensuring that the referral index (v164) falls within a valid range before further processing. Additionally, the patched code improves error logging by providing specific details when a referral index exceeds the allowable range. These changes enhance the safety of the code by preventing unsafe memory access and improving diagnostics for better traceability.

CVE-2024-49113 is a denial-of-service (DoS) vulnerability in the Windows Lightweight Directory Access Protocol (LDAP). It allows remote, unauthenticated attackers to disrupt the LDAP service on affected Windows servers, causing significant downtime by forcing reboots. The flaw, disclosed and patched in December 2024, highlights the importance of securing directory services in modern IT environments.

The vulnerability is attributed to an out-of-bounds read error in LDAP’s implementation. Attackers exploit this flaw by sending specially crafted Connectionless LDAP (CLDAP) referral response packets to the target server. These malicious packets can destabilize the Local Security Authority Subsystem Service (LSASS), leading to an immediate system crash and reboot. Exploitation does not require prior authentication or user interaction, though it depends on the target server’s internet connectivity for DNS operations.

Impacted Systems
This vulnerability affects multiple versions of Windows, including:

Client Systems: Windows 10 (various versions) and Windows 11 (22H2, 24H2).
Server Systems: Windows Server editions spanning 2008 to 2025.

Organizations should consult official documentation for specific build information and patch availability.

Exploit Details and Risks
Shortly after the vulnerability’s disclosure, proof-of-concept (PoC) code demonstrating the exploitability of CVE-2024-49113 emerged. The PoC demonstrated how attackers could trigger system crashes on unpatched servers, highlighting the criticality of timely patching.

Notably, some malicious actors have distributed counterfeit PoCs on public platforms. These fake exploits contain malware designed to compromise researchers’ and defenders’ systems, emphasizing the importance of sourcing code from trusted and verified sources.

The vulnerability arises due to insufficient input validation in the CLFS driver. Specifically, CLFS mishandles certain crafted input, allowing an attacker to manipulate memory and execute code with elevated privileges.

Exploitation requires local access to the system. An attacker can:

Craft Malicious Input: Create a malformed CLFS log file or log-related operation that triggers the vulnerability in the driver.
Abuse Kernel Privileges: Exploit the vulnerability to execute arbitrary code in kernel mode.
Escalate Privileges: Gain SYSTEM privileges, enabling complete control over the affected system.

This vulnerability is particularly useful for attackers as a post-exploitation mechanism, allowing them to escalate privileges after gaining initial access to a target system.

Exploitation in the Wild
CVE-2022-37969 has been actively exploited in targeted attacks. Threat actors, including advanced persistent threat (APT) groups, have leveraged this vulnerability as part of multi-stage attack campaigns.

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

CVE-2021-34523 is a privilege escalation vulnerability in Microsoft Exchange Server that arises due to improper validation of PowerShell remoting requests. This vulnerability enables an attacker to elevate their privileges within the Exchange server environment.
Affected Versions

The vulnerability affects the following versions of Exchange Server:

Microsoft Exchange Server 2013
Microsoft Exchange Server 2016
Microsoft Exchange Server 2019

Root Cause

The issue stems from insufficient authentication and access controls in the Exchange PowerShell backend interface. Specifically, the Exchange PowerShell service fails to properly validate caller identities and privileges, which can be exploited to execute commands with elevated permissions.
Exploitation

An attacker with authenticated access to the Exchange server (e.g., as a low-privilege user) can exploit this vulnerability by:

Crafting Malicious PowerShell Requests: Sending specially crafted requests to the Exchange PowerShell endpoint.
Escalating Privileges: Abusing the vulnerability to gain higher-level privileges, such as those of a Domain Admin or SYSTEM account.
Remote Code Execution (Chained Exploitation): Combining this vulnerability with others (e.g., CVE-2021-34473) can lead to full remote compromise.

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

The flaw lies in the FortiGate to FortiManager Protocol (FGFM), which is designed for deployment scenarios where NAT traversal is needed. By abusing the vulnerability, attacks have been reported where the attacker attempted to register a new “local device” with a serial number.
Once registered, an attacker can exploit this to gain RCE on FortiManager itself.

From there, the attacker has access to the FortiManager’s managed firewalls, enabling them to view configuration files, alter device settings, and escalate further into downstream networks.

Fortinet’s advisory highlights IOCs observed and mitigations.

Many reports have been made of the Akira and/or Fog ransomware group abusing this vulnerability. In this blog: https://arcticwolf.com/resources/blog/arctic-wolf-observes-akira-ransomware-campaign-targeting-sonicwall-sslvpn-accounts/ the abuse of the vulnerability by the Akira group is mentioned.

On September 5th 2024, CISA released a security bulletin highlighting the cyber-attacks from a Russian actor. In this bulletin CISA confirmed and stated that this vulnerability was abused by the actor to bypass authentication and gain initial access.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

On September 5th 2024, CISA released a security bulletin highlighting the cyber-attacks from a Russian actor. In this bulletin CISA confirmed and stated that this vulnerability was abused by the actor to bypass authentication and gain initial access.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

On September 5th 2024, CISA released a security bulletin highlighting the cyber-attacks from a Russian actor. In this bulletin CISA confirmed and stated that this vulnerability was abused by the actor to bypass authentication and gain initial access.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

On September 5th 2024, CISA released a security bulletin highlighting the cyber-attacks from a Russian actor. In this bulletin CISA confirmed and stated that this vulnerability was abused by the actor to bypass authentication and gain initial access through a vulnerable Dahua IP Camera.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

On September 5th 2024, CISA released a security bulletin highlighting the cyber-attacks from a Russian actor. In this bulletin CISA confirmed and stated that this vulnerability was abused by the actor to bypass authentication and gain initial access through a vulnerable Dahua IP Camera.
Source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a

A July 2024 bulletin from multiple U.S. government agencies indicates that North Korean state-sponsored attackers have demonstrated interest in this vulnerability — not immediately clear whether it was exploited or just used in reconnaissance/target selection: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a