ION Advisory: Microsoft December 2024 Patch Tuesday

Microsoft’s December Patch Tuesday update consists of 71 vulnerabilities, 16 of which are categorized Critical. One vulnerability has been reported exploited in the wild since the 10th of December, and 9 of them are Remote Code Execution(RCE) vulnerabilities impacting Remote Desktop Services.

Critical Vulnerabilities

None of the following critical vulnerabilities below have been reported as being actively exploited or publicly disclosed.

• Windows Remote Desktop Services Remote Code Execution Vulnerabilities (9 vulnerabilities, Sensitive Data Storage in Improperly Locked Memory, Type Confusion, Insecure Variable Initialization vulnerabilities)
  • CVE-2024-49106 & CVE-2024-49108 & CVE-2024-49115 & CVE-2024-49116 & CVE-2024-49119 & CVE-2024-49120 & CVE-2024-49123 & CVE-2024-4912 & CVE-2024-49132
    • An attacker could successfully exploit these vulnerabilities by connecting to a system with the Remote Desktop Gateway role and then leveraging this to execute arbitrary code.
• CVE-2024-49126 – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
  • The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution and attempt to trigger malicious code in the context of the server’s account through a network call. The attacker needs no privileges nor does the user need to perform any action.
• CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
  • Exploitation against a Domain Controller of an LDAP server could succeed if a remote unauthenticated attacker sends specially crafted RPC calls to the target which triggers a lookup of the attackers domain to be performed.Exploitation in a Client Application requires an attacker to convince or trick the victim into connecting to a malicious LDAP server or to perform a domain controller lookup for the attacker’s domain. However, unauthenticated RPC calls would not succeed.
  • Ensuring that Domain Controllers are configured either to not access the internet or to not allow inbound RPC from untrusted networks will protect against this vulnerability, applying both configurations provides an effective defense-in-depth against this vulnerability.
• CVE-2024-49124 & CVE-2024-49127 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
  • An unauthenticated attacker could send a specially crafted request to a vulnerable server resulting in winning a race condition. Successful exploitation could result in the attacker’s code running in the context of the SYSTEM account.
• CVE-2024-49118 & CVE-2024-49122 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerabilities
  • To exploit these vulnerabilities, an attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in remote code execution on the server side, due to memory referencing after it has been freed by one function allocation.
• CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability
  • This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server.

Active Exploitation

The following vulnerability has been reported as being actively exploited

• CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
  • An attacker who successfully exploited this heap-based buffer overflow vulnerability could gain SYSTEM privileges.

Countermeasures and Patches

• Apply patches as soon as possible, after appropriate testing.

References

Sans Report: Microsoft Patch Tuesday: December 2024 – SANS Internet Storm Center

Patch-A-Palooza: PatchaPalooza