A Home windows zero-day safety vulnerability underneath energetic exploit leads Microsoft’s December 2024 Patch Tuesday safety replace, which hardly constitutes a sleigh of festive tidings for safety admins: A stocking full of 71 patches.
The tech big unwrapped CVEs in Home windows and Home windows Parts, Workplace and Workplace Parts, SharePoint Server, Hyper-V, Defender for Endpoint, and System Middle Operations Supervisor.
This yr’s holiday-season entry brings the entire variety of patches for the yr to 1,020, Redmond’s second-most voluminous yr for fixes after 2020’s 1,250. Out of this month’s CVEs, 16 are rated as crucial.
Home windows CLFS Zero-Day Permits Privilege Escalation
The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw within the Home windows Frequent Log File System (CLFS) Driver.
“CLFS is a logging service that helps person and kernel-mode operations,” defined Henry Smith, senior safety engineer at Automox, in an emailed evaluation. “Whereas the main points are nonetheless restricted, the basis trigger possible ties again to improper information validation. … Early indicators recommend that attackers may exploit this bug through the use of Home windows APIs to control log information or corrupt log information, triggering the vulnerability.”
The potential influence is substantial, he added, on condition that an exploit results in SYSTEM-level privileges on Home windows Server. When paired with a distant code execution (RCE) bug, it is an ideal recipe for utterly taking on a PC.
Satnam Narang, senior employees analysis engineer at Tenable, famous by way of e-mail that ransomware operators specifically have “developed a penchant for exploiting CLFS elevation-of-privilege flaws over the previous few years.”
He famous, “not like superior persistent menace (APT) teams that sometimes give attention to precision and persistence, ransomware operators and associates are targeted on the smash-and-grab ways by any means crucial. By utilizing elevation-of-privilege flaws like this one in CLFS, ransomware associates can transfer by means of a given community with a view to steal and encrypt information and start extorting their victims.”
Vital Distant-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP
The critical-severity CVE-2024-49112 (CVSS 9.8) is probably probably the most regarding CVE on this month’s stocking of distress. It is an unauthenticated RCE subject within the Home windows Light-weight Listing Entry Protocol (LDAP).
In line with Dustin Childs on the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Area Controllers by sending a specifically crafted set of LDAP calls.
“Code execution happens on the degree of the LDAP service, which is elevated, however not SYSTEM,” Childs wrote in a weblog publish on Dec. 10. “Microsoft supplies some … fascinating mitigation recommendation. They suggest disconnecting Area Controllers from the Web. Whereas that might cease this assault, I am undecided how sensible that might be for many enterprises. I like to recommend testing and deploying the patch rapidly.”
One other crucial RCE vulnerability to deal with rapidly is CVE-2024-49117 (CVSS 8.8) in Home windows Hyper-V. An exploit would permit somebody on a visitor digital machine (VM) to execute code on the underlying host OS, or carry out a cross-VM assault.
“The excellent news right here is that the attacker does should be authenticated,” Childs famous. “The dangerous information is that the attacker solely requires fundamental authentication — nothing elevated. If you’re working Hyper-V or have hosts on a Hyper-V server, you will undoubtedly wish to get this patched rapidly.”
A complete of 9 crucial bugs have an effect on Home windows Distant Desktop Providers, with one (CVE-2024-49132, CVSS 8.1) permitting RCE by exploiting a use-after-free reminiscence situation.
“The exploit requires exact timing, making it a sophisticated assault,” Ryan Braunstein, safety supervisor at Automox, stated by way of e-mail. “Particularly, if a person connects by means of the Distant Desktop Gateway position, an attacker might deliberately set off the use-after-free state of affairs. Efficiently exploited, this vulnerability can permit attackers to execute their code remotely, gaining management of the system.”
Which means exploitation is on the troublesome aspect, however Braunstein cautioned that “over time, it is possible that cyberattackers develop instruments that simplify the assault course of. Till then, there aren’t any efficient workarounds, making speedy patching your finest likelihood to mitigate this danger.”
There are additionally eight different crucial vulnerabilities that fee 8.1 on the CVSS scale in Distant Desktop Providers, together with 5 different UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which entails delicate information storage in improperly locked reminiscence; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper useful resource dealing with throughout RDP periods.
“These vulnerabilities underscore persistent points in RDP parts, together with reminiscence administration, timing, and operational dealing with,” stated Mike Walters, president and co-founder of Action1, by way of e-mail. “[With] diversified root causes, [it shows that] attackers can exploit completely different sides of RDP providers. Organizations ought to keep away from exposing RDP providers to the worldwide Web and implement strong safety controls to mitigate dangers. These flaws additional show the hazards of leaving RDP open and unprotected.”
Different December 2024 Safety Vulnerabilities to Patch Now
Safety specialists additionally flagged two different bugs for safety admins so as to add to their vacation checklists, together with an EoP vulnerability within the Home windows Resilient File System (ReFS).
Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It provides information resilience, storage effectivity, and improved efficiency.
“CVE-2024-49093 (CVSS 8.8) revolves round a scope change that permits an attacker to raise privileges from a low-privilege app container surroundings,” defined Seth Hoyt, senior safety engineer at Automox, by way of e-mail. “Usually, app containers are designed to restrict a course of’s capacity to entry information, reminiscence, and different assets. Exploiting this vulnerability permits attackers to flee these confines, gaining broader system-level entry. This implies they’ll work together with information, processes, and reminiscence beforehand out of attain.”
From there, cyberattackers might transfer laterally throughout the surroundings, he added.
The ultimate lump of coal known as out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a analysis undertaking on AI-created music.
“We have been questioning what bugs in AI would seem like, and up to now, they seem like deserialization vulnerabilities,” ZDI’s Childs stated. “That is what we’ve got right here. An attacker might achieve code execution by crafting a payload that executes upon deserialization. Neat.”
