A significant Windows zero-day security vulnerability is at the forefront of Microsoft’s December 2024 Patch Tuesday security update, which presents a hefty collection of 71 patches for security administrators to manage. This update, while not exactly festive, brings the total number of patches issued this year to an impressive 1,020, marking it as Redmond’s second-highest volume of fixes since 2020, which saw 1,250 patches. Among the vulnerabilities addressed this month, 16 have been classified as critical.
Windows CLFS Zero-Day Allows Privilege Escalation
The actively exploited vulnerability, tracked as CVE-2024-49138 (CVSS 7.8), is a moderate-severity flaw within the Windows Common Log File System (CLFS) Driver. Henry Smith, a senior security engineer at Automox, provided insight into the issue, noting that CLFS serves as a logging service for both user and kernel-mode operations. Although details remain sparse, the root cause appears to stem from improper data validation. Smith indicated that attackers might exploit this vulnerability by manipulating log files or corrupting log data through Windows APIs, potentially leading to SYSTEM-level privileges on Windows Server. This scenario could create a pathway for complete control over a PC when combined with a remote code execution (RCE) bug.
Satnam Narang, a senior staff research engineer at Tenable, highlighted the growing trend among ransomware operators to exploit CLFS elevation-of-privilege flaws. He pointed out that unlike advanced persistent threat (APT) groups, which tend to be methodical, ransomware affiliates often employ aggressive tactics to infiltrate networks, steal data, and extort victims.
Critical Remote-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP
Among the critical vulnerabilities this month, CVE-2024-49112 (CVSS 9.8) stands out as a particularly alarming RCE issue within the Windows Lightweight Directory Access Protocol (LDAP). Dustin Childs from the Zero Day Initiative (ZDI) explained that cyberattackers could exploit this flaw to compromise Domain Controllers by sending specially crafted LDAP calls. Although code execution occurs at an elevated level, it is not at the SYSTEM level. Childs noted that Microsoft has suggested disconnecting Domain Controllers from the Internet as a mitigation strategy, though he questioned the practicality of this recommendation for most enterprises.
Another critical RCE vulnerability, CVE-2024-49117 (CVSS 8.8), affects Windows Hyper-V, allowing an attacker on a guest virtual machine to execute code on the host operating system. While authentication is required, it only necessitates basic credentials, making it essential for organizations running Hyper-V to prioritize patching.
Additionally, nine critical vulnerabilities impact Windows Remote Desktop Services, including CVE-2024-49132 (CVSS 8.1), which enables RCE through a use-after-free memory condition. Ryan Braunstein, a security manager at Automox, remarked that while exploitation requires precise timing, it remains a complex attack. He cautioned that as time progresses, attackers may develop tools to simplify the process, underscoring the importance of immediate patching to mitigate risks.
Other December 2024 Security Vulnerabilities to Patch Now
Security experts have also identified two additional vulnerabilities that should be on security administrators’ holiday checklists. One of these is an elevation of privilege (EoP) vulnerability in the Windows Resilient File System (ReFS), designated as CVE-2024-49093 (CVSS 8.8). Seth Hoyt, a senior security engineer at Automox, explained that this flaw allows an attacker to escape the confines of a low-privilege app container environment, thereby gaining broader system-level access.
The final notable vulnerability this month is an RCE issue in Musik, a research project focused on AI-generated music, tracked as CVE-2024-49063. Childs from ZDI remarked on the intriguing nature of this vulnerability, which involves deserialization issues that could allow an attacker to gain code execution through a crafted payload.
