Microsoft’s latest set of monthly patches brings this year’s reported vulnerabilities to 1,020 – with 30 in this year’s “known exploited" catalogue.
December’s Patch Tuesday featured 71 new CVEs, with one (allocated CVE-2024-49138) known to be exploited in the wild. This is a Windows Common Log File System (CLFS) driver Elevation of Privilege bug.
As is now standard, Microsoft offered zero details on exploitation. As an EOP vulnerability, it is likely being chained with other exploits in the wild.
Edward Targett
CLFS is a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode.
Adam Barnett, Lead Software Engineer at Rapid7 noted that “exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should…
"There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252” although this bug is “the first CLFS zero-day vulnerability… published in 2024.”
Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws – Adam Barnett, Rapid7.
Henry Smith, Senior Security Engineer, Automox, added: "Earrly indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability.
"With no feasible workarounds identified, immediate attention is necessary for any system running Windows Server, even those dating back to 2008.
December Patch Tuesday: What’s hot?
Also notable in the batch of fixes was CVE-2024-49117, a low complexity, critical-rated Windows Hyper-V Remote Code Execution (RCE) bug.
Whilst an attacker needs to be authenticated to exploit this Hyper-V vulnerability, they only need basic authentication and can then, from a guest VM, execute code on the underlying host OS. The vulnerability was, reported internally and Microsoft marks exploitation “less likely”.
“An attacker who successfully exploited this vulnerability could potentially execute a cross-VM attack, thereby compromising multiple virtual machines and expanding the impact of the attack beyond the initially targeted VM” it said however. With threat actors swift to reverse engineer patches, this one should arguably be a priority fix for Hyper-V users.
LDAP, LDAP, LDAP...
CVE-2024-49112 meawhile is the highest-scored RCE bug with 9.8 CVSS. It affects Windows Lightweight Directory Access Protocol (LDAP), the widely used cross-platform protocol for directory services authentication.
It is low complexity, remotely exploitable with no user interaction and… Microsoft marks exploitation “less likely”. The company told users to “ensure that domain controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks.”
“Applying both configurations provides an effective defense-in-depth against this vulnerability” it added in patch notes late Tuesday.
Edward Targett
