Microsoft issued patches for scores of vulnerabilities in its December Patch Tuesday yesterday, including one that is currently being exploited by threat actors.
The zero-day flaw, CVE-2024-49138, is an elevation of privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver – a Windows logging service used by software clients running in user-mode or kernel-mode. Exploitation can result in an attacker gaining system privileges.
While this is the first zero-day bug in CLFS published this year, previous efforts discovered in 2022 and 2023 include CVE-2022-24521, CVE-2023-23376, CVE-2022-37969 and CVE-2023-28252, according to Adam Barnett, lead software engineer at Rapid7.
“Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution,” he explained.
“Ransomware authors who have abused previous CLFS vulnerabilities will be only too pleased to get their hands on a fresh one. Expect more CLFS zero-day vulnerabilities to emerge in the future, at least until Microsoft performs a full replacement of the aging CLFS codebase instead of offering spot fixes for specific flaws.”
Read more on Patch Tuesday: Microsoft Fixes Four Zero-Days in July Patch Tuesday
This month saw fixes for 16 critical CVEs in total, all of which are remote code execution (RCE) bugs. Nine impact Windows Remote Desktop Services, three affect Windows Lightweight Directory Access Protocol (LDAP) and two are found in Microsoft Message Queuing (MSMQ).
One of the LDAP vulnerabilities, CVE-2024-49112, has a CVSS v3 base score of 9.8, making it the most serious published in the December Patch Tuesday release.
“Exploitation is via a specially crafted set of LDAP calls and leads to code execution within the context of the LDAP service. Although the advisory doesn’t specify, the LDAP service runs in a system context,” said Barnett.
“Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.”
This month sees a slight departure from the past few Patch Tuesdays, in which Microsoft has fixed multiple exploited or publicly disclosed zero-days. In August there were nine in total, followed by five in October and four in November.
Image credit: CHERRY.JUICE / Shutterstock.com