December 2024 Patch Tuesday: Insights and Updates

Published:

Zero-Day Vulnerability (CVE-2024-49138) Exploit Observed in the Wild

In the ever-evolving landscape of cybersecurity, zero-day vulnerabilities pose a significant threat to organizations worldwide. One such vulnerability, identified as CVE-2024-49138, has recently come to light. This privilege escalation vulnerability resides within the Microsoft Windows Common Log File System (CLFS) driver and has been categorized as Important in severity, with a CVSS score of 7.8. Discovered by CrowdStrike’s Counter Adversary Operations team, this vulnerability was privately reported to Microsoft, which has since acknowledged its existence, issued a patch, and confirmed that it is actively being exploited in the wild.

Table 1: Zero-day in Microsoft Windows

Severity CVSS Score CVE Description
Important 7.8 CVE-2024-49138: Windows Common Log File System Elevation of Privilege Vulnerability

The implications of CVE-2024-49138 are profound, as it allows attackers to gain elevated privileges on affected systems, potentially leading to unauthorized access and control over sensitive data. Organizations are urged to apply the patch provided by Microsoft promptly to mitigate the risks associated with this vulnerability.

Three Critical Vulnerabilities in Lightweight Directory Access Protocol (LDAP) Client

The Lightweight Directory Access Protocol (LDAP) client has also been found to harbor critical vulnerabilities that could have severe repercussions for organizations utilizing Active Directory services.

  1. CVE-2024-49112: This critical remote code execution (RCE) vulnerability has a staggering CVSS score of 9.8. It allows an unprivileged attacker to execute arbitrary code on an Active Directory server by sending a specially crafted set of LDAP calls. Microsoft recommends that all Active Directory servers be configured to reject Remote Procedure Calls (RPCs) from untrusted networks, in addition to applying the necessary patches.

  2. CVE-2024-49124: Another critical RCE vulnerability, CVE-2024-49124, carries a CVSS score of 8.1. This vulnerability enables unauthenticated remote attackers to exploit a cryptographic protocol within Windows Kerberos by sending specially crafted packets, leading to potential RCE.

  3. CVE-2024-49127: Similar to the previous vulnerabilities, CVE-2024-49127 also has a CVSS score of 8.1. It allows an unauthenticated attacker to send a specially crafted request to a vulnerable server, with successful exploitation requiring the attacker to win a race condition, ultimately allowing code execution in the SYSTEM account.

Table 2: Critical vulnerabilities in Windows Lightweight Directory Access Protocol (LDAP)

Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49124: Windows Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49127: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Given the ease of exploitation and the significant risks these vulnerabilities pose, organizations must prioritize patching and implementing recommended security configurations.

A Critical Vulnerability in Windows Hyper-V

Another area of concern is Windows Hyper-V, which has been identified as having a critical RCE vulnerability, designated as CVE-2024-49117. With a CVSS score of 8.8, this vulnerability requires an authenticated attacker on a guest virtual machine (VM) to send specially crafted file operation requests to hardware resources on the VM. While described as "remote," this vulnerability necessitates local access to exploit, allowing arbitrary code execution on the host server.

Table 3: Critical vulnerability in Windows Hyper-V

Severity CVSS Score CVE Description
Critical 8.8 CVE-2024-49117: Windows Hyper-V Remote Code Execution Vulnerability

Organizations utilizing Hyper-V should ensure that their environments are secure and that access to VMs is tightly controlled to mitigate the risks associated with this vulnerability.

Two Critical Vulnerabilities in Microsoft Message Queueing

Microsoft Message Queuing (MSMQ) has also been identified as having critical RCE vulnerabilities, specifically CVE-2024-49118 and CVE-2024-49122, both with a CVSS score of 8.1. Exploitation of these vulnerabilities requires an attacker to win a race condition by sending specially crafted malicious MSMQ packets to a vulnerable MSMQ server, potentially resulting in RCE on the server side.

MSMQ is an attractive target for attackers due to its prevalent use in high-availability services like Active Directory. Organizations are advised to check if the “Message Queuing” service is running and whether TCP port 1801 is listening on the machine. If the service is not being utilized, it is recommended to disable it.

Table 4: Critical vulnerabilities in Microsoft Message Queueing (MSMQ)

Severity CVSS Score CVE Description
Critical 8.1 CVE-2024-49118: Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49122: Microsoft Message Queuing Remote Code Execution Vulnerability

A Critical Vulnerability in Windows Local Security Authority Subsystem Service (LSASS)

The Local Security Authority Subsystem Service (LSASS) is another critical component that has been found to have vulnerabilities. Specifically, CVE-2024-49126 is a critical RCE vulnerability with a CVSS score of 8.1. Successful exploitation allows an attacker to execute arbitrary code on a server without requiring special privileges or user interaction. This vulnerability can be exploited through a network call, potentially granting the attacker control over the server by executing malicious code in the context of the server’s account.

Table 5: Critical vulnerability in Windows Local Security Authority Subsystem Service (LSASS)

Severity CVSS Score CVE Description
Critical 8.1 CVE-2024-49126: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Nine Critical Vulnerabilities in Windows Remote Desktop Services

In addition to the aforementioned vulnerabilities, Windows Remote Desktop Services has been identified as having nine critical RCE vulnerabilities, all with a CVSS score of 8.1. These vulnerabilities can be exploited by connecting to a system with the Remote Desktop Gateway role, triggering a race condition that creates a use-after-free scenario, ultimately allowing arbitrary code execution.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As demonstrated by past vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be patched easily. The ProxyNotShell vulnerabilities highlight the importance of developing a comprehensive response plan for defending environments when patching protocols are not available.

Organizations should regularly review their patching strategies while also adopting a holistic approach to cybersecurity. Improving the overall security posture is essential in mitigating risks associated with vulnerabilities that may not have immediate fixes.

The CrowdStrike Falcon platform plays a crucial role in this endeavor, collecting and analyzing trillions of endpoint events daily from millions of sensors deployed across 176 countries. Organizations can see the Falcon platform in action by watching a demo here.

Learn More

For organizations looking to enhance their vulnerability management strategies, CrowdStrike Falcon® Exposure Management offers tools to quickly discover and prioritize vulnerabilities and other types of exposures. Learn more about this solution here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is an industry standard used by CrowdStrike and many other cybersecurity organizations to assess and communicate the severity and characteristics of software vulnerabilities. The CVSS Base Score ranges from 0.0 to 10.0, with the National Vulnerability Database (NVD) providing severity ratings for CVSS scores. For more information on vulnerability scoring, refer to this article here.

In conclusion, the cybersecurity landscape is fraught with challenges, and the emergence of vulnerabilities like CVE-2024-49138 and others underscores the importance of vigilance, timely patching, and proactive security measures to safeguard organizational assets.

Related articles

Recent articles