Microsoft fixes exploited zero-day (CVE-2024-49138)

On December 2024 Patch Tuesday, Microsoft resolved 71 vulnerabilities in a variety of its products, including a zero-day (CVE-2024-49138) that’s been exploited by attackers in the wild to execute code with higher privileges.

CVE-2024-49138 exploited by attackers

CVE-2024-49138 stems from a heap-based buffer overflow vulnerability in the Windows Common Log File System (CLFS) Driver and can be exploited by attackers to elevate their privileges on the target host to SYSTEM, according to Microsoft.

The attack vector is local, which means that attackers can exploit it by accessing the target system locally (via keyboard or console) or remotely (e.g., via SSH). Alternatively, they may trick legitimate users into performing an actions that trigger the exploit (e.g., opening a malicious document).

The vulnerability, reported to Microsoft by CrowdStrike’s Advanced Research Team, has been exploited by attackers.

“Though in-the-wild exploitation details aren’t known yet, looking back at the history of CLFS driver vulnerabilities, it is interesting to note that ransomware operators have developed a penchant for exploiting CLFS elevation of privilege flaws over the last few years,” Satnam Narang, senior staff research engineer at Tenable, told Help Net Security.

“Since it is a privilege escalation, it is likely being paired with a code execution bug to take over a system. These tactics are often seen in ransomware attacks and in targeted phishing campaigns,” noted Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

Microsoft has patched two other elevation of privilege flaws in Windows Common Log File System Driver this Tuesday, but those are not under active exploitation (although their exploitation is “more likely”, so patch those as well).

Other vulnerabilities to patch quickly

Childs also urges users to quickly patch CVE-2024-49112, a vulnerability in Windows Lightweight Directory Access Protocol (LDAP) that can be exploited by remote, unauthenticated attackers by sending a specially crafted set of LDAP calls.

“LDAP is most commonly seen on servers that are Domain Controllers inside a Windows network and LDAP must be exposed to other servers and clients within an enterprise environment for the domain to function,” Rob Reeves, Principal Security Engineer at Immersive Labs told Help Net Security.

“Microsoft hasn’t released specific information about the vulnerability at present, but has indicated that the attack complexity is low and authentication is not required.”

As a mitigation (in case applying the update is impossible), Microsoft advises organizations to configure Domain Controllers either to not access the internet or to not allow inbound RPC connections from untrusted networks.

Among the vulnerabilities that are “more likely” to be exploited are CVE-2024-49114, a Windows Cloud Files Mini Filter Driver EoP flaw, and CVE-2024-49093, an EoP vulnerability in the Windows Resilient File System.

“The patch notes [for CVE-2024-49114] have striking similarities to other vulnerabilities reported in the same component that are actively being exploited and appeared on the CISA Known Exploited Vulnerabilities list late in 2023,” Breen commented, and pointed out that a proven and effective exploit with existing public examples could allow attackers to weaponize this vulnerability faster.