Learn about the critical importance of patch management and how Check Point can help secure systems against actively exploited vulnerabilities like the CLFS privilege escalation flaw.

Risks:

Privilege Escalation, Patch Management

Keywords:

Microsoft, CLFS vulnerability, Patch Tuesday, privilege escalation, NTLM, LDAP, ransomware

CVE:

CVE-2024-49138; CVE-2022-24521; CVE-2022-37969; CVE-2023-23376; CVE-2023-28252; CVE-2024-49112; CVE-2024-49117; CVE-2024-49105; CVE-2024-49063

Affected:

Microsoft Windows, Windows Common Log File System (CLFS), Windows Lightweight Directory Access Protocol (LDAP), Windows Hyper-V, Remote Desktop Client, Microsoft Muzic, NT LAN Manager (NTLM), Microsoft Exchange Server, Active Directory Certificate Services (AD CS), LDAP, Windows Server, Azure Directory Certificate Services, Windows Explorer

 

Overview of Microsoft's December 2024 Patch Tuesday

In December 2024, Microsoft released its final Patch Tuesday update for the year, addressing 72 security vulnerabilities across its software products. This update includes fixes for 17 Critical, 54 Important, and one Moderate severity flaws. Notably, 31 of these vulnerabilities are remote code execution issues, while 27 allow for privilege escalation.

Actively Exploited CLFS Vulnerability

One of the most critical vulnerabilities addressed is a privilege escalation flaw in the Windows Common Log File System (CLFS) driver, identified as CVE-2024-49138. This flaw has been actively exploited, allowing attackers to gain SYSTEM privileges. The vulnerability is the fifth of its kind in the CLFS driver since 2022, indicating a trend where malicious actors exploit these flaws for ransomware attacks.

Ransomware and Exploitation Trends

Ransomware operators have increasingly targeted CLFS elevation of privilege vulnerabilities, using them to navigate networks, steal data, and extort victims. This exploitation trend contrasts with the more patient tactics of advanced persistent threat groups.

Security Mitigations and Future Plans

To combat these vulnerabilities, Microsoft is implementing new security measures, including a verification step for parsing log files. This involves using Hash-based Message Authentication Codes (HMAC) to detect unauthorized modifications to log files. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this CLFS vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to remediate it by the end of 2024.

Other Notable Vulnerabilities

Among the other critical vulnerabilities, the most severe is a remote code execution flaw in the Windows Lightweight Directory Access Protocol (LDAP), tracked as CVE-2024-49112. This vulnerability allows unauthenticated attackers to execute arbitrary code through LDAP calls.

Additional remote code execution flaws were found in Windows Hyper-V, Remote Desktop Client, and Microsoft Muzic, each posing significant risks.

Addressing NTLM Vulnerabilities

Microsoft is also addressing vulnerabilities in the NT LAN Manager (NTLM) protocol, which has been exploited through relay and pass-the-hash attacks. Plans are underway to deprecate NTLM in favor of Kerberos and to enable Extended Protection for Authentication (EPA) by default in various services, including Exchange Server and Azure Directory Certificate Services. These changes aim to mitigate NTLM relay attacks and enhance default security settings.

Updates from Other Vendors

In addition to Microsoft's updates, other vendors such as Adobe, AMD, Cisco, Google, and many others have released security patches to address various vulnerabilities. This highlights the industry's ongoing effort to protect against emerging threats.

 

Read More

https://thehackernews.com/2024/12/microsoft-fixes-72-flaws-including.html?m=1