Win-DDoS: Nová technika distribuovaného narušenia dostupnosti služby

Bezpečnostní výskumníci zverejnili na stretnutí DEF CON 33 informácie o zraniteľnosti CVE-2025-32724, ktorá ohrozuje  verejne dostupné doménové radiče dosiahnuteľné z internetu. Tie sa vedia efektívne zmeniť na obete, a tiež botov vyvolávajúcich narušenie dostupnosti služby. Zraniteľnosť má povahu zero-click a dovoľuje útočníkovi spôsobiť narušenie služby bez nákladnej alebo špecializovanej sady nástrojov.

Zraniteľné systémy:

Windows doménové radiče so službou Active Directory Domain Service

• Windows 10 for 32-bit Systems
• Windows 10 for x64-based Systems
• Windows 10 Version 1607 for 32-bit Systems
• Windows 10 Version 1607 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 Version 22H2 for 32-bit Systems
• Windows 10 Version 22H2 for ARM64-based Systems
• Windows 10 Version 22H2 for x64-based Systems
• Windows 11 Version 22H2 for ARM64-based Systems
• Windows 11 Version 22H2 for x64-based Systems
• Windows 11 Version 23H2 for ARM64-based Systems
• Windows 11 Version 23H2 for x64-based Systems
• Windows 11 Version 24H2 for ARM64-based Systems
• Windows 11 Version 24H2 for x64-based Systems
• Windows Server 2008 for 32-bit Systems Service Pack 2
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 for x64-based Systems Service Pack 2
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Windows Server 2012
• Windows Server 2012 (Server Core installation)
• Windows Server 2012 R2
• Windows Server 2012 R2 (Server Core installation)
• Windows Server 2016
• Windows Server 2016 (Server Core installation)
• Windows Server 2019
• Windows Server 2019 (Server Core installation)
• Windows Server 2022
• Windows Server 2022 (Server Core installation)
• Windows Server 2022, 23H2 Edition (Server Core installation)
• Windows Server 2025
• Windows Server 2025 (Server Core installation)

Opis zraniteľností:

CVE-2025-32724 (CVSS 3.1 skóre 7,5)

Klientsky kód LDAP nemal žiadne limity na veľkosť zoznamov referral a uvoľňoval pamäť až po dokončení celého procesu. Exploit Win-DDoS zneužíva tieto vlastnosti na manipuláciu URL dopytov na nasmerovanie doménového radiča na server obete.

1. Útočník pošle volanie RPC na doménové radiče, ktoré ich prinúti stať sa CLDAP klientmi.
2. DC pošlú požiadavku CLDAP na útočníkov CLDAP server, ktorý vráti odpoveď s odkazom (referral response).
3. DC pošlú dopyt LDAP na LDAP server útočníka cez protokol TCP.
4. Útočníkov LDAP server odpovie dlhým zoznamom LDAP referenčných URL adries, ktoré všetky smerujú na IP adresu obete.
5. DC opakovane posielajú dopyty LDAP na daný port, čím zahltia cieľový server.

Doménové radiče sa domnievajú, že vykonávajú legitímne dopyty LDAP ale v skutočnosti zahlcujú server obete opakovanými požiadavkami.

Technicky podobné sú aj zraniteľnosti CVE-2025-26673 (CVSS 3.1 skóre 7,5), CVE-2025-49716 (CVSS 3.1 skóre 7,5) a CVE-2025-49722 (CVSS 3.1 skóre 5,7).

Možné škody:

• Zneprístupnenie služby (DoS)

Odporúčania:

Administrátorom zraniteľných systémov odporúčame bezodkladne vykonať aktualizácie vydané 10. júna. Konkrétne na:

• Windows Server 2016 Security Update 10.0.14393.8148
• Windows 10 Version 1607 for x64-based Systems Security Update 10.0.14393.8148
• Windows 10 Version 1607 for 32-bit Systems Security Update 10.0.14393.8148
• Windows 10 for x64-based Systems Security Update 10.0.10240.21034
• Windows 10 for 32-bit Systems Security Update 10.0.10240.21034
• Windows Server 2025Security Update 10.0.26100.4349
• Windows Server 2025SecurityHotpatchUpdate 10.0.26100.4270
• Windows 11 Version 24H2 for x64-based Systems Security Update 10.0.26100.4349
• Windows 11 Version 24H2 for x64-based Systems SecurityHotpatchUpdate 10.0.26100.4270
• Windows 11 Version 24H2 for ARM64-based Systems Security Update10.0.26100.4349
• Windows 11 Version 24H2 for ARM64-based Systems SecurityHotpatchUpdate 10.0.26100.4270
• Windows Server 2012 R2 (Server Core installation) Monthly Rollup 6.3.9600.22620
• Windows Server 2012 R2 Monthly Rollup 6.3.9600.22620
• Windows Server 2012 (Server Core installation)Monthly Rollup6.2.9200.25522
• Windows Server 2012Monthly Rollup6.2.9200.25522
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Monthly Rollup6.1.7601.27769
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Security Only6.1.7601.27769
• Windows Server 2008 R2 for x64-based Systems Service Pack 1Monthly Rollup6.1.7601.27769
• Windows Server 2008 R2 for x64-based Systems Service Pack 1Security Only6.1.7601.27769
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Monthly Rollup6.0.6003.23351
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Security Only6.0.6003.23351
• Windows Server 2008 for x64-based Systems Service Pack 2Monthly Rollup6.0.6003.23351
• Windows Server 2008 for x64-based Systems Service Pack 2Security Only6.0.6003.23351
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Monthly Rollup6.0.6003.23351
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Security Only6.0.6003.23351
• Windows Server 2022, 23H2 Edition (Server Core installation)Security Update10.0.25398.1665
• Windows 11 Version 23H2 for x64-based Systems Security Update10.0.22631.5472
• Windows 11 Version 23H2 for ARM64-based Systems Security Update10.0.22631.5472
• Windows Server 2025 (Server Core installation)Security Update10.0.26100.4349
• Windows Server 2025 (Server Core installation)SecurityHotpatchUpdate10.0.26100.4270
• Windows 10 Version 22H2 for 32-bit Systems Security Update10.0.19045.5965
• Windows 10 Version 22H2 for ARM64-based Systems Security Update10.0.19045.5965
• Windows 10 Version 22H2 for x64-based Systems Security Update10.0.19045.5965
• Windows 11 Version 22H2 for x64-based Systems Security Update10.0.22621.5472
• Windows 11 Version 22H2 for ARM64-based Systems Security Update10.0.22621.5472
• Windows 10 Version 21H2 for x64-based Systems Security Update10.0.19044.5965
• Windows 10 Version 21H2 for ARM64-based Systems Security Update10.0.19044.5965
• Windows 10 Version 21H2 for 32-bit Systems Security Update10.0.19044.5965
• Windows Server 2022 (Server Core installation)Security Update10.0.20348.3807
• Windows Server 2022 (Server Core installation)SecurityHotpatchUpdate10.0.20348.3745
• Windows Server 2022Security Update10.0.20348.3807
• Windows Server 2022SecurityHotpatchUpdate10.0.20348.3745
• Windows Server 2019 (Server Core installation)Security Update10.0.17763.7434
• Windows Server 2019Security Update10.0.17763.7434
• Windows 10 Version 1809 for x64-based Systems Security Update10.0.17763.7434
• Windows 10 Version 1809 for 32-bit Systems Security Update10.0.17763.7434

Pozn.: Aj zvyšné zraniteľnosti spomenuté v opise zraniteľností už majú dostupné bezpečnostné záplaty.

Zdroje:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26673
• https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-32724
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49716
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49722
• https://thehackernews.com/2025/08/new-win-ddos-flaws-let-attackers-turn.html
• https://www.neerajlovecyber.com/news/win-ddos-flaws-turn-domain-controllers-botnets
• https://www.helpnetsecurity.com/2025/08/11/win-ddos-domain-controllers-ddos-vulnerability-cve-2025-32724/