Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch Tuesday

A Windows zero-day security vulnerability under active exploit leads Microsoft's December 2024 Patch Tuesday security update, which hardly constitutes a sleigh of festive tidings for security admins: A stocking stuffed with 71 patches.

The tech giant unwrapped CVEs in Windows and Windows Components, Office and Office Components, SharePoint Server, Hyper-V, Defender for Endpoint, and System Center Operations Manager.

This year's holiday-season entry brings the total number of patches for the year to 1,020, Redmond's second-most voluminous year for fixes after 2020's 1,250. Out of this month's CVEs, 16 are rated as critical.

Windows CLFS Zero-Day Allows Privilege Escalation

The actively exploited bug is tracked as CVE-2024-49138 (CVSS 7.8), a moderate-severity flaw in the Windows Common Log File System (CLFS) Driver.

“CLFS is a logging service that supports user and kernel-mode operations,” explained Henry Smith, senior security engineer at Automox, in an emailed analysis. "While the details are still limited, the root cause likely ties back to improper data validation. … Early indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability."

The potential impact is substantial, he added, given that an exploit leads to SYSTEM-level privileges on Windows Server. When paired with a remote code execution (RCE) bug, it's a perfect recipe for completely taking over a PC.

Related:Microsoft NTLM Zero-Day to Remain Unpatched Until April

Satnam Narang, senior staff research engineer at Tenable, noted via email that ransomware operators in particular have "developed a penchant for exploiting CLFS elevation-of-privilege flaws over the last few years."

He noted, "unlike advanced persistent threat (APT) groups that typically focus on precision and patience, ransomware operators and affiliates are focused on the smash-and-grab tactics by any means necessary. By using elevation-of-privilege flaws like this one in CLFS, ransomware affiliates can move through a given network in order to steal and encrypt data and begin extorting their victims."

Critical Remote-Code Execution Vulnerabilities in LDAP, Hyper-V, RDP

The critical-severity CVE-2024-49112 (CVSS 9.8) is perhaps the most concerning CVE in this month's stocking of misery. It's an unauthenticated RCE issue in the Windows Lightweight Directory Access Protocol (LDAP).

According to Dustin Childs at the Zero Day Initiative (ZDI), cyberattackers can exploit the bug to compromise Domain Controllers by sending a specially crafted set of LDAP calls.

Related:Microsoft Expands Access to Windows Recall AI Feature

"Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM," Childs wrote in a blog post on Dec. 10. "Microsoft provides some … interesting mitigation advice. They recommend disconnecting Domain Controllers from the Internet. While that would stop this attack, I'm not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly."

Another critical RCE vulnerability to address quickly is CVE-2024-49117 (CVSS 8.8) in Windows Hyper-V. An exploit would allow someone on a guest virtual machine (VM) to execute code on the underlying host OS, or perform a cross-VM attack.

"The good news here is that the attacker does need to be authenticated," Childs noted. "The bad news is that the attacker only requires basic authentication — nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you'll definitely want to get this patched quickly."

A total of nine critical bugs affect Windows Remote Desktop Services, with one (CVE-2024-49132, CVSS 8.1) allowing RCE by exploiting a use-after-free memory condition.

"The exploit requires precise timing, making it an advanced attack," Ryan Braunstein, security manager at Automox, said via email. "Specifically, if a user connects through the Remote Desktop Gateway role, an attacker could intentionally trigger the use-after-free scenario. Successfully exploited, this vulnerability can allow attackers to execute their code remotely, gaining control of the system."

Related:Open Source Security Priorities Get a Reshuffle

That means exploitation is on the difficult side, but Braunstein cautioned that "over time, it's likely that cyberattackers develop tools that simplify the attack process. Until then, there are no effective workarounds, making immediate patching your best chance to mitigate this risk."

There are also eight other critical vulnerabilities that rate 8.1 on the CVSS scale in Remote Desktop Services, including five other UAF bugs (CVE-2024-49115, CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, and CVE-2024-49128); CVE-2024-49123, which involves sensitive data storage in improperly locked memory; CVE-2024-49120, an insecure default variable initialization flaw; and CVE-2024-49119, arising from improper resource handling during RDP sessions.

"These vulnerabilities underscore persistent issues in RDP components, including memory management, timing, and operational handling," said Mike Walters, president and co-founder of Action1, via email. “[With] varied root causes, [it shows that] attackers can exploit different facets of RDP services. Organizations should avoid exposing RDP services to the global Internet and implement robust security controls to mitigate risks. These flaws further prove the dangers of leaving RDP open and unprotected."

Other December 2024 Security Vulnerabilities to Patch Now

Security experts also flagged two other bugs for security admins to add to their holiday checklists, including an EoP vulnerability in the Windows Resilient File System (ReFS).

Resilient File System (ReFS) is a file system designed for enhanced scalability and fault tolerance for virtualization environments, databases, and backups. It offers data resilience, storage efficiency, and improved performance.

"CVE-2024-49093 (CVSS 8.8) revolves around a scope change that allows an attacker to elevate privileges from a low-privilege app container environment," explained Seth Hoyt, senior security engineer at Automox, via email. "Normally, app containers are designed to limit a process's ability to access files, memory, and other resources. Exploiting this vulnerability enables attackers to escape those confines, gaining broader system-level access. This means they can interact with files, processes, and memory previously out of reach."

From there, cyberattackers could move laterally across the environment, he added.

The final lump of coal called out by researchers this month is an RCE vulnerability in Musik (CVE-2024-49063), a research project on AI-created music.

“We've been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities," ZDI's Childs said. "That's what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat."