CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability

CVE-2022-22012 Windows LDAP Remote Code Execution Vulnerability

These are details of the first public release of the advisory. The advisory will be updated when more information becomes available. What’s an LDAP remote code execution vulnerability? LDAP is an application protocol that connects applications and systems to directory services, directories, and databases. LDAP is most commonly used to synchronize contacts and other data from a mobile device to a corporate system. LDAP can also be used for authentication. LDAP is used by many applications, such as Kerio Connect, Iridium, and many more. An attacker can exploit a vulnerability in an LDAP application to execute arbitrary code on the application’s host. LDAP is commonly enabled by default. Some LDAP applications also have vulnerable LDAP back ends. For example, the LDAP protocol does not protect against information disclosure, making it an attractive target for attackers to exploit. How did you discover this vulnerability? We discovered this vulnerability during the course of our routine security monitoring. What made you suspicious? This vulnerability was publicly disclosed on June 13, 2018. What are the symptoms of this vulnerability? Users with access to an LDAP server could be exploited to execute arbitrary code on the LDAP server

What’s an LDAP vulnerability?

LDAP is an application protocol that connects applications and systems to directory services, directories, and databases. LDAP is most commonly used to synchronize contacts and other data from a mobile device to a corporate system. LDAP can also be used for authentication. LDAP is used by many applications, such as Kerio Connect, Iridium, and many more. An attacker can exploit a vulnerability in an LDAP application to execute arbitrary code on the application’s host. LDAP is commonly enabled by default. Some LDAP applications also have vulnerable LDAP back ends. For example, the LDAP protocol does not protect against information disclosure, making it an attractive target for attackers to exploit.

Detecting an LDAP Remote Code Execution Vulnerability

First, make sure your LDAP server is configured to use TLS. Next, scan your LDAP server to detect possible exploits. For example:
Determine whether the LDAP server can be reached via SSLEngine with a "find" command. If so, determine the LDAP port number in use. If not, determine if any services have been enabled on the SSL listener.
If you're still unsure, consult a security researcher to help with your evaluation.

What you need to do to protect yourself against this vulnerability?

Do not use LDAP.
Monitor your network traffic for signs of a LDAP connection.
Locate and disable any exposed LDAP services.
Keep your operating systems and applications up-to-date with the latest security patches.

What you should do to protect your system against LDAP remote code execution vulnerabilities

Because LDAP is enabled by default, all users are at risk of exploitation. If you use an LDAP server, you should consider disabling LDAP until a patch is made available. The vulnerability is present in the basic service within the LDAP protocol and affects many commonly used applications. This vulnerability has a high security impact rating because it could provide the attacker with complete control over the system running the vulnerable application.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe