December Patch Tuesday reveals 70 vulnerabilities

December Patch Tuesday reveals 70 vulnerabilities

December Patch Tuesday reveals 70 vulnerabilities

Microsoft is addressing 70 vulnerabilities this December 2024 Patch Tuesdaywith evidence of wild exploitation and public disclosure of one of the vulnerabilities published today (December 10), reflected in a CISA KEV entrance.

For the third month in a row, Microsoft published zero-day vulnerabilities on Patch Tuesday without assessing any of them as critical severity at the time of publication. Today there are 16 critical remote code execution (RCE) vulnerabilities published, which is more than usual. Two browser vulnerabilities have already been published separately this month and are not included in the total.

This month’s zero-day vulnerability is CVE-2024-49138An elevation of privilege vulnerability in the driver of the Common Windows Log File System (CLFS), a general-purpose Windows registry service that can be used by software clients running in user mode or kernel mode.

Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should. There have been a number of elevations of zero-day privilege vulnerabilities in CLFS in recent years. Previous offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability that Microsoft published in 2024. Although the advisory does not provide many details about the means of exploitation, the weakness is CWE-122: Heap-based buffer overflowwhich usually causes crashes or denial of service, but can also lead to code execution.

Ransomware authors who have abused previous CLFS vulnerabilities will be glad to get their hands on a new one. Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a complete replacement of the old CLFS codebase instead of offering spot fixes for specific flaws. Patches are available for all versions of Windows.

The patterns emerge when we consider the 16 critical RCE vulnerabilities released today as a whole, which could somewhat reduce the level of alarm that an unusually large number could cause defender fatigue.

A trio of critical Windows LDAP RCE vulnerabilities received patches this month, including CVE-2024-49112which has a CVSSv3 base score of 9.8, which is the highest of all the vulnerabilities Microsoft has published today. Exploitation is performed via a specially crafted LDAP call set and leads to code execution within the context of the LDAP service; Although the advisory does not specify it, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still allow domain controllers to receive incoming RPC calls from untrusted networks or access the Internet to stop doing so.

Another possible cause for concern this month is CVE-2024-49126a critical RCE in the Local Security Authority Subsystem Service (LSASS). The exploitation could be carried out remotely and the attacker does not need privileges nor does the user need to take any action; The only positive side is that an attacker must win a race condition. Although the advisory says that the code execution would be done in the context of the server account, it might be safer to assume that the code execution would be done in the context of the SYSTEM.

CVE-2024-49117 describes a container escape for Hyper-V; The exploit requires the attacker to make specially crafted file operation requests on the virtual machine (VM) to the VM’s hardware resources, which could result in remote code execution on the hypervisor. The advisory FAQ states that no special privileges are required in the context of the VM, so any level of access is sufficient to break free from the VM. We also learn that container escape could be lateral, where an attacker moves from one VM to another instead of to the hypervisor.

The eight critical RCE vulnerabilities in Remote Desktop Services released today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors. The exploit requires an attacker to gain a race condition, and in each case it is credited to the same research group.

There are no significant transitions in the life cycle of Microsoft products this month.

Leave a Reply

Your email address will not be published. Required fields are marked *