WARNING: MICROSOFT PATCH TUESDAY DECEMBER 2024 PATCHES 70 VULNERABILITIES (16 CRITICAL, 54 IMPORTANT), PATCH IMMEDIATELY!!
Microsoft patched 70 vulnerabilities in its December 2024 Patch Tuesday release, 16 rated as critical, 54 rated important. Including one 0-day vulnerabilities that is actively exploited.
Number of CVE by type:
- 30 Remote Code Execution vulnerabilities
- 27 Elevation of Privilege vulnerabilities
- 7 Information Disclosure vulnerabilities
- 5 Denial of Service vulnerabilities
- 1 Spoofing vulnerability
Bronnen
Microsoft - https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec
Risico’s
Microsoft’s December 2024 Patch Tuesday includes 70 vulnerabilities (16 critical and 54 important), for a wide range of Microsoft products, impacting Microsoft Server and Workstations. This Patch Tuesday includes one 0-Day that is actively exploited. Some other vulnerabilities are also more likely to be exploited soon, therefore urgent patching is advised.
Beschrijving
Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2024-49138: Windows Common Log File System Driver (0-Day, Actively exploited)
Elevation of Privileges Vulnerability. An attacker who successfully exploits this vulnerability could obtain SYSTEM privileges. It has been assigned a CVSSv3 score of 7.8 and is categorized as important. This vulnerability was actively exploited in the wild as a zero-day, although specific details about the exploitation remain unknown. Alongside CVE-2024-49138, Microsoft also addressed two other elevation of privilege (EoP) vulnerabilities in the CLFS driver: CVE-2024-49090 and CVE-2024-49088. Both vulnerabilities were assigned a CVSSv3 score of 7.8, rated as important, and assessed as “Exploitation More Likely.” Notably, this marks the ninth vulnerability in the Windows CLFS driver patched in 2024. Additionally, CVE-2024-49138 is the fifth actively exploited privilege escalation flaw in the CLFS driver since 2022. These types of privilege escalation vulnerabilities are often paired with code execution flaws to enable full system compromise. Such tactics are commonly seen in ransomware attacks and targeted phishing campaigns.
CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP)
Remote Code Execution Vulnerability. This vulnerability is the most critical one addressed by Microsoft, receiving a CVSS score of 9.8 and labeled as "Exploitation Less Likely". An unauthenticated attacker who successfully exploits this vulnerability could execute arbitrary code within the context of the LDAP service by sending a specially crafted set of LDAP calls. According to Dustin Childs from the Zero Day Initiative (ZDI), attackers can use this flaw to compromise Domain Controllers through these crafted LDAP requests. In addition, Microsoft also patched another vulnerability, CVE-2024-49113, in Windows LDAP. This vulnerability was assigned a CVSS score of 7.5 and, like the previous one, is categorized as "Exploitation Less Likely."
UPDATE: A Proof of Concept was published by Security Boulevard as of the 2nd of January 2024. This increases the possibility of the vulnerability being exploited in the future. More information can be found here: https://securityboulevard.com/2025/01/ldapnightmare-safebreach-labs-publishes-first-proof-of-concept-exploit-for-cve-2024-49112/
CVE-2024-49118 & CVE-2024-49122: Microsoft Message Queuing (MSMQ)
Remote Code Execution Vulnerabilities. CVE-2024-49118 and CVE-2024-49122 are Remote Code Execution (RCE) vulnerabilities in Microsoft Message Queuing (MSMQ), both assigned a CVSSv3 score of 8.1 and rated as critical. For a system to be vulnerable, the MSMQ service must be added and enabled. Successful exploitation of these vulnerabilities requires an attacker to trigger a race condition. Despite this, Microsoft classified CVE-2024-49122 as "Exploitation More Likely," while CVE-2024-49118 was rated as "Exploitation Less Likely" due to the specific condition that the race must occur during the execution of a rare operation on the target system.
CVE-2024-49070: Microsoft SharePoint
Remote Code Execution Vulnerability. CVE-2024-49070 is a remote code execution (RCE) vulnerability in Microsoft SharePoint, assigned a CVSSv3 score of 7.4 and rated as important. To successfully exploit this vulnerability, an attacker must first prepare the target environment to increase the reliability of the exploit. Microsoft has assessed this vulnerability as "Exploitation More Likely."
CVE-2024-49117: Windows Lightweight Directory Access Protocol (LDAP)
Remote Code Execution Vulnerability. This vulnerability has been assigned a CVSS score of 8.8 and is rated as critical by Microsoft. A successful exploitation could allow an attacker to carry out a cross-VM attack, potentially compromising multiple virtual machines and amplifying the attack's impact beyond the initially targeted VM. Exploiting this vulnerability requires the attacker to be authenticated, but no admin or elevated privileges are necessary.
CVE-2024-49093: Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability. An attacker who successfully exploits this vulnerability could obtain SYSTEM privileges. Assigned a CVSSv3 score of 8.8 and rated as important This vulnerability requires the attacker to first log onto the system. Once logged in, the attacker could run a specially crafted application to exploit the vulnerability and gain control of the affected system. Microsoft has categorized this vulnerability as "Exploitation More Likely."
CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132: Windows Remote Desktop Services
Remote Code Execution Vulnerabilities.
These remote code execution (RCE) vulnerabilities impact Windows Remote Desktop Services. All nine vulnerabilities are rated as critical, with CVSSv3 scores of 8.1. Exploiting them successfully is complex and requires the attacker to trigger a race condition. Microsoft categorized these vulnerabilities as exploitation less likely.
CVE-2024-49063: Microsoft/Muzic
Remote Code Execution Vulnerability. This vulnerability is part of a research project on AI-generated music and has received a CVSSv3 score of 8.4, rated as important. An attacker exploiting this vulnerability could achieve code execution by crafting a payload that executes during deserialization. Microsoft has classified this vulnerability as "Exploitation Less Likely."
Aanbevolen acties
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Referenties
The Register - https://www.theregister.com/2024/12/10/microsoft_patch_tuesday/
The Hacker News - https://thehackernews.com/2024/12/microsoft-fixes-72-flaws-including.html
CISA - https://www.cisa.gov/news-events/alerts/2024/12/10/microsoft-releases-de...
Tenable - https://www.tenable.com/blog/microsofts-december-2024-patch-tuesday-addr...
Zero Day Initiative - https://www.zerodayinitiative.com/blog/2024/12/10/the-december-2024-secu...
Bleeping Computer - https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2024-...
Security Affairs - https://securityaffairs.com/171845/security/microsoft-december-2024-patc...