Patch Tuesday: December 2024

By: Blake Eakin

Every month on the second Tuesday, Microsoft and other vendors release security software patches in what has become known as Patch Tuesday. This month, Microsoft disclosed patches for 74 vulnerabilities including one zero-day, one that has previously been publicly disclosed, 17 vulnerabilities classified as Critical, and 27 of the total coming in with CVSS base scores over 8. In addition, there have been reports about the active exploitation and release of a PoC for a zero-day previously patched in August.

One of the more notable vulnerabilities being patched this month is CVE-2024-49138, and elevation of privilege vulnerability in the Common Log File System (CLFS) driver. This vulnerability has been exploited in the wild and has also been publicly disclosed. SSD released a disclosure ?on October 23, 2024 for a CLFS driver vulnerability credited to the first place winner of TyphoonPWN 2024 https://typhooncon.com/typhoonpwn-2024/. ?CLFS drivers were also patched earlier this year for a Denial of Service (DoS) vulnerability (CVE-2024-6768) and have also been a frequent target for elevation of privilege vulnerabilities addressed by past Patch Tuesdays.

Five of the vulnerabilities being patched pertain to LDAP, including two classified as DoS (CVE-2024-49113, CVE-2024-49121) and three (CVE-2024-49127, CVE-2024-49124, CVE-2024-49112) as remote code execution (RCE). Two of the RCE vulnerabilities require beating race conditions, but CVE-2024-49112 does not and can be exploited without authentication, netting it a CVSS 3.1 base score of 9.8. The patches also address three vulnerabilities in Microsoft Message Queuing (MSMQ), with one being an RCE that Microsoft has rated critical and noted as more likely to be exploited (CVE-2024-49122). Successful exploitation requires a malicious packet being sent to an MSMQ server to win a race condition.

Windows Remote Desktop saw a lot of patching activity this month. 9 Critical RCE vulnerabilities affect systems with the Remote Desktop Gateway role (CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128), exploitable by winning a race condition, while two others present opportunities for DoS attacks (CVE-2024-49129, CVE-2024-49075). Another vulnerabillity specificially affects the Remote Desktop Client with an RCE (CVE-2024-49105). This one, instead of requiring an attacker to target victim systems, can come from a victim logged into an Admin account connecting to a malicious server.

?

Other notable vulnerabilities being patched include three more RCEs affecting SharePoint (CVE-2024-49070), Hyper-V (CVE-2024-49117), and the Local Security Authority Subsystem Service (LSASS) (CVE-2024-49126). There is also an Elevation of Privilege vulnerability in the Windows Resilient File System (ReFS) that Microsoft rates and more likely to be exploited and gave a base score of 8.8.

Outside of the December Patch Tuesday, an elevation of privilege 0-day previously addressed in the August Patch Tuesday (CVE-2024-38193) is gaining attention right now after a researcher published a writeup outlining how the vulnerability works leading to Proof of Concept (PoC) exploits being publicly published. This outlines the importance of maintaining pace with Patch Tuesday releases. Threat actors will attempt to quickly weaponize any vulnerabilities they can against unpatched systems after the release of patches that can potentially lead them to developing exploits.