Patch Tuesday December 2024

CVE-2024-49138 - 7.8 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Top of the list of things to patch this cycle is a trio of vulnerabilities in the Windows Common Log File System Driver. Don't be fooled by their relatively low score of 7.8. At least one of these (CVE-2024-49138) is being actively exploited in the wild by threat actors, making it likely that the other two vulnerabilities will also be discovered. 

This vulnerability is a local privilege escalation, which means that an attacker must gain initial access to the host to gain SYSTEM-level privileges. With this higher level of permissions, the threat actor can move laterally across the network, dump credentials to pivot to a domain controller or even disable security tooling to avoid detection by a blue team. 

CVE-2024-49114 - 7.8 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

High on the list for patching should be CVE-2024-21310, a privilege escalation vulnerability in Cloud Files Mini Filter Driver. Listed as “exploitation more likely” by Microsoft, the patch notes have striking similarities to other vulnerabilities reported in the same component that are actively being exploited – and appearing on the CISA Known Exploited Vulnerabilities list late in 2023. 

This likely contributes to the “exploitation more likely,” as it is a proven and effective exploit for attackers and with existing public examples could make it faster to weaponise. 

If an attacker exploits this vulnerability, they can gain SYSTEM-level privileges on the local machine. This type of privilege escalation step is frequently seen by threat actors in network compromises, as it can enable the attacker to disable security tools or run credential dumping tools like mimikatz that can then enable lateral movement or the compromise of domain accounts.

CVE-2024-49093 - 8.8 - Windows Resilient File System (ReFS) Elevation of Privilege

The Resilient File System (ReFS) is a modern file system developed by Microsoft, designed to provide enhanced data integrity, scalability, and fault tolerance compared to the New Technology File System (NTFS). 

Introduced with Windows Server 2012, ReFS is optimized for large-scale storage solutions, virtualization workloads, and environments requiring high data reliability. It incorporates features like integrity streams to detect and repair data corruption, support for massive volumes and file sizes (up to 35 petabytes), and efficient data management through technologies like block cloning. 

While it lacks some NTFS features, such as file compression and encryption, ReFS is particularly suited for enterprise applications, such as Hyper-V storage and resilient storage spaces. It offers improved performance and reliability for mission-critical workloads.

This vulnerability has been described as “exploitation more likely” by Microsoft and also said to have low attack complexity required to perform the attack. All the user has to do is execute the exploit in a low-privilege AppContainer, and they are able to execute code or access resources at a mich higher integrity level above the AppContainer. 

CVE-2024-49126 - 8.1 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

The Local Security Authority Subsystem Service (LSASS) is a critical system process in Microsoft Windows that enforces security policies and manages user authentication. It verifies users’ logging into a Windows system by handling credentials, such as passwords and security tokens, and interacts with Active Directory for domain authentication. LSASS also generates and manages access tokens that applications and services use to determine user permissions. 

This process runs with high privileges, making it a frequent target for attackers aiming to extract credentials from memory or perform lateral movement in a network using tools like the famous Mimikatz. Protecting LSASS is vital, and modern versions of Windows include features like Credential Guard and process isolation to mitigate risks associated with its exploitation. 

This vulnerability is a use-after-free vulnerability where the attacker has to take advantage of a race condition to get access to sensitive data that is not properly protected or locked, this requires no interaction from the user, nor does it require any special privileges to begin the attack. It is a remote code vulnerability affecting service accounts and an attacker can take advantage of this by triggering malicious code in the context of the server’s account through a network call. 

CVE-2024-49117 - 8.8 - Windows Hyper-V Remote Code Execution Vulnerability

This vulnerability could be exploited by an attacker who has authenticated access to a guest virtual machine (VM). The attacker could send carefully crafted file operation requests to interact with the hardware resources allocated to the VM. 

This vulnerability has been tagged as “return of wrong status code,” which adds further context to the vulnerability by highlighting a potential miscommunication between components during an attack. If the underlying system incorrectly returns a status code suggesting that an operation was successful when it was not—or fails to indicate that an unexpected or malicious operation has occurred—it can facilitate exploitation. In this scenario, such miscommunication could obscure warning signs or error handling mechanisms that might otherwise mitigate the attack, making the vulnerability easier to exploit and harder to detect.

Due the fact that hyper-v is baked into the Windows operating system so heavily, it is recommended to ensure you patch this even though it requires access to a guest OS running on a machine. 

CVE-2024-49112 - 9.8 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution (RCE)

A significant flaw has been identified in the Lightweight Directory Access Protocol (LDAP) service on all versions of Windows since Windows 7 / Server 2008 R2 that can allow for an unauthenticated attacker with network access to gain code execution on the underlying server.  LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function.

Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.  Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately.  They have said that an attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with SYSTEM privileges.  Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to perform a DCSync attack and get access to all credential hashes within the domain.  It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service - gaining complete control over the domain.

Discovery of how to exploit this condition will be of the utmost importance to attackers, especially ransomware operators, as complete control of a Domain Controller in an Active Directory environment can allow for access to every Windows machine as part of that domain and allow for the deployment of ransomware to every machine.

Microsoft also suggests blocking access to ‘inbound RPC’ connections from untrusted networks, which may indicate that the vulnerability can be exploited by a number of RPC channels, not only via the standard LDAP ports.  Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation.

CVE-2024-49122 - 7.8 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

This December 2024 Patch Tuesday saw a vulnerability in Microsoft Message Queuing (MSMQ) being disclosed. Denoted as CVE-2024-49122, Microsoft has outlined this vulnerability as “exploitation more likely’ and as a “remote code execution” impact. MSMQ allows asynchronous communication between applications across various networks and systems by sending and reading messages from the queue. This vulnerability requires a high level of attack complexity and for the attacker to win a race condition. Successful exploitation can be achieved by sending a maliciously crafted MSMQ packet to a server, which will result in a remote code execution.