A Home windows zero-day safety vulnerability underneath energetic exploit leads Microsoft’s December 2024 Patch Tuesday safety replace, which hardly constitutes a sleigh of festive tidings for safety admins: A stocking full of 71 patches.
The tech big unwrapped CVEs in Home windows and Home windows Elements, Workplace and Workplace Elements, SharePoint Server, Hyper-V, Defender for Endpoint, and System Heart Operations Supervisor.
This yr’s holiday-season entry brings the whole variety of patches for the yr to 1,020, Redmond’s second-most voluminous yr for fixes after 2020’s 1,250. Out of this month’s CVEs, 16 are rated as important.
Home windows CLFS Zero-Day Permits Privilege Escalation
The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw within the Home windows Frequent Log File System (CLFS) Driver.
“CLFS is a logging service that helps consumer and kernel-mode operations,” defined Henry Smith, senior safety engineer at Automox, in an emailed evaluation. “Whereas the main points are nonetheless restricted, the basis trigger probably ties again to improper knowledge validation. … Early indicators recommend that attackers may exploit this bug through the use of Home windows APIs to control log recordsdata or corrupt log knowledge, triggering the vulnerability.”
The potential influence is substantial, he added, on condition that an exploit results in SYSTEM-level privileges on Home windows Server. When paired with a distant code execution (RCE) bug, it is an ideal recipe for utterly taking up a PC.
Satnam Narang, senior workers analysis engineer at Tenable, famous by way of e mail that ransomware operators specifically have “developed a penchant for exploiting CLFS elevation-of-privilege flaws over the previous few years.”
He famous, “not like superior persistent risk (APT) teams that usually deal with precision and persistence, ransomware operators and associates are centered on the smash-and-grab techniques by any means obligatory. By utilizing elevation-of-privilege flaws like this one in CLFS, ransomware associates can transfer by a given community with a view to steal and encrypt knowledge and start extorting their victims.”
Crucial Distant-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP
The critical-severity CVE-2024-49112 (CVSS 9.8) is probably probably the most regarding CVE on this month’s stocking of distress. It is an unauthenticated RCE concern within the Home windows Light-weight Listing Entry Protocol (LDAP).
In accordance with Dustin Childs on the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Area Controllers by sending a specifically crafted set of LDAP calls.
“Code execution happens on the degree of the LDAP service, which is elevated, however not SYSTEM,” Childs wrote in a weblog publish on Dec. 10. “Microsoft gives some … attention-grabbing mitigation recommendation. They advocate disconnecting Area Controllers from the Web. Whereas that will cease this assault, I am unsure how sensible that will be for many enterprises. I like to recommend testing and deploying the patch rapidly.”
One other important RCE vulnerability to deal with rapidly is CVE-2024-49117 (CVSS 8.8) in Home windows Hyper-V. An exploit would enable somebody on a visitor digital machine (VM) to execute code on the underlying host OS, or carry out a cross-VM assault.
“The excellent news right here is that the attacker does have to be authenticated,” Childs famous. “The unhealthy information is that the attacker solely requires primary authentication — nothing elevated. In case you are operating Hyper-V or have hosts on a Hyper-V server, you will positively wish to get this patched rapidly.”
A complete of 9 important bugs have an effect on Home windows Distant Desktop Companies, with one (CVE-2024-49132, CVSS 8.1) permitting RCE by exploiting a use-after-free reminiscence situation.
“The exploit requires exact timing, making it a complicated assault,” Ryan Braunstein, safety supervisor at Automox, mentioned by way of e mail. “Particularly, if a consumer connects by the Distant Desktop Gateway position, an attacker may deliberately set off the use-after-free situation. Efficiently exploited, this vulnerability can enable attackers to execute their code remotely, gaining management of the system.”
Which means exploitation is on the troublesome aspect, however Braunstein cautioned that “over time, it is probably that cyberattackers develop instruments that simplify the assault course of. Till then, there are not any efficient workarounds, making speedy patching your finest likelihood to mitigate this threat.”
There are additionally eight different important vulnerabilities that price 8.1 on the CVSS scale in Distant Desktop Companies, together with 5 different UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which includes delicate knowledge storage in improperly locked reminiscence; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper useful resource dealing with throughout RDP periods.
“These vulnerabilities underscore persistent points in RDP elements, together with reminiscence administration, timing, and operational dealing with,” mentioned Mike Walters, president and co-founder of Action1, by way of e mail. “[With] different root causes, [it shows that] attackers can exploit totally different sides of RDP companies. Organizations ought to keep away from exposing RDP companies to the worldwide Web and implement strong safety controls to mitigate dangers. These flaws additional show the risks of leaving RDP open and unprotected.”
Different December 2024 Safety Vulnerabilities to Patch Now
Safety specialists additionally flagged two different bugs for safety admins so as to add to their vacation checklists, together with an EoP vulnerability within the Home windows Resilient File System (ReFS).
Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It affords knowledge resilience, storage effectivity, and improved efficiency.
“CVE-2024-49093 (CVSS 8.8) revolves round a scope change that permits an attacker to raise privileges from a low-privilege app container surroundings,” defined Seth Hoyt, senior safety engineer at Automox, by way of e mail. “Usually, app containers are designed to restrict a course of’s potential to entry recordsdata, reminiscence, and different sources. Exploiting this vulnerability permits attackers to flee these confines, gaining broader system-level entry. This implies they will work together with recordsdata, processes, and reminiscence beforehand out of attain.”
From there, cyberattackers may transfer laterally throughout the surroundings, he added.
The ultimate lump of coal known as out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a analysis challenge on AI-created music.
“We have been questioning what bugs in AI would appear like, and to this point, they appear like deserialization vulnerabilities,” ZDI’s Childs mentioned. “That is what we have now right here. An attacker may acquire code execution by crafting a payload that executes upon deserialization. Neat.”