December Patch Tuesday reveals 70 vulnerabilities
Microsoft fixes 70 vulnerabilities this year December 2024 Tuesday Patchwith evidence of exploitation in the wild and public disclosure of one of the vulnerabilities released today (December 10), reflected in a LPCC KEV entrance.
For the third month in a row, Microsoft released zero-day vulnerabilities in Patch Tuesday without rating any of them as critical severity at the time of release. Today, 16 critical remote code execution (RCE) vulnerabilities are released, which is more than usual. Two browser vulnerabilities have already been released separately this month and are not included in the total.
This month’s zero day vulnerability is CVE-2024-49138An elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user mode or kernel mode.
Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it is. There have been a series of zero-day elevations of privilege vulnerabilities in CLFS over the past few years. Ex-offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969And CVE-2023-28252; today’s addition of CVE-2024-49138 is the first zero-day CLFS vulnerability released by Microsoft in 2024. Although the advisory does not provide many details on the means of exploitation, the weakness is CWE-122: Heap-based buffer overflowwhich most often leads to crashes/denial of service, but it can also lead to code execution.
Ransomware authors who have abused previous CLFS vulnerabilities will be only too happy to get their hands on a new one. Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft does a complete replacement of the aging CLFS codebase instead of releasing one-off fixes for specific flaws. Patches are available for all versions of Windows.
Patterns emerge when considering all 16 critical RCE vulnerabilities released today that could somewhat reduce the level of concern that an unusually high number might otherwise cause among weary defenders.
A trio of critical Windows LDAP RCE vulnerabilities received patches this month, including CVE-2024-49112which has a CVSSv3 base score of 9.8, which is the highest of all vulnerabilities released today by Microsoft. Exploitation occurs via a set of specially designed LDAP calls and results in code execution in the context of the LDAP service; although the advisory does not specify it, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still allow domain controllers to receive incoming RPC calls from untrusted networks or to access the Internet to stop doing so.
Another potential source of concern this month is CVE-2024-49126a critical RCE in the Local Safety Authority Subsystem (LSASS) service. The exploitation could potentially be carried out remotely, and the attacker does not need any privileges, and the user does not need to perform any actions; the only positive side is that an attacker must win a race condition. Although the advisory states that code execution would occur in the context of the server account, it might be safer to assume that code execution would occur in a SYSTEM context.
CVE-2024-49117 describes a container escape for Hyper-V; The exploitation requires the attacker to make specially crafted file operation requests on the virtual machine (VM) to the VM’s hardware resources, which could result in remote code execution on the hypervisor. The advisory FAQ states that no special privileges are required in the context of the VM, so any level of access is sufficient to break free from the VM. We also learn that the container leak could be lateral, where an attacker moves from one VM to another rather than toward the hypervisor.
The eight critical RCE vulnerabilities in Remote Desktop Services released today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors. Exploitation requires an attacker to win a race condition, and the same research group is credited in each case.
There are no significant Microsoft product lifecycle transitions this month.