The January 2023 updates address Two LDAP vulnerabilities affecting Domain Controllers

Windows Server

When looking at the January 10, 2023, cumulative updates (1B23) for Windows Server today, I noticed two updates that specifically address a Remote Code Execution (RCE) vulnerability and a Denial of Service (DoS) vulnerability in Windows LDAP. These vulnerabilities are specific to Domain Controllers (in the default configuration), so this sparked my interest in these updates.

 

About the vulnerabilities

CVE-2023-21676 LDAP Remote Code Execution Vulnerability

CVE-2023-21676 is a vulnerability in the Lightweight Directory Access Protocol (LDAP) that could allow an authenticated adversary remote code execution on Windows Server installations, configured as Domain Controllers. The attack is a low complexity attack over the network.

The CVSSv3 score of this vulnerability is 8.8/7.7.

The vulnerability was responsible disclosed by Microsoft Offensive Research and Security Engineering (MORSE).

 

CVE-2023-21557 LDAP Denial of Service Vulnerability

CVE-2023-21557 is a vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) that could allow an unauthenticated adversary to bypass a buffer length check, which could be leveraged to achieve an information leak. To achieve this, a specially crafted request merely needs to be sent to a vulnerable Domain Controller over the network.

The CVSSv3 score of this vulnerability is 7.5/6.5.

The vulnerability was responsible disclosed by Microsoft Offensive Research and Security Engineering (MORSE).

 

Affected Operating Systems

The above vulnerabilities exist in all supported Windows and Windows Server Operating Systems.

Although support for Windows Server 2008 and Windows Server 2008 R2 has ended, Microsoft has made updates available for all Windows Server platforms through the Extended Security Update program. The January 10, 2023, updates are the last updates for these platforms.

 

Call to Action

I urge you to install the necessary security updates on Domain Controllers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, running as Domain Controllers, in the production environment.

2 Responses to The January 2023 updates address Two LDAP vulnerabilities affecting Domain Controllers

  1.  

    Hi! Do the January 2023 updates for Domain Contollers cover the updates and changes that were addressed in the November 2022 and December 2022 updates?
    I'm trying to see if it's safe to install on Domain Controllers running Windows Server 2012 R2 and Windows Server 2019…

    • Hi Erik,

      Yes.

      The January 2023 cumulative updates for Windows Server 2012 R2 and Windows Server 2019 include all the updates and changes of previous updates. Please note that for CVE-2022-37967, Domain Controllers will be configured for the second deployment phase (Audit mode).

      For Windows Server 2019, only cumulative updates are available. For Windows Server 2012 R2 there are also other updates available that may or may not include all changes.

       

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.