WWW.COMPUTERWEEKLY.COM
Dangerous CLFS and LDAP flaws stand out on Patch Tuesday
Microsoft has issued fixes for 71 new Common Vulnerabilities and Exposures (CVEs) to mark the final Patch Tuesday of 2025, with a solitary zero-day that enables privilege elevation through the Windows Common Log File System Driver stealing the limelight.Assigned designation CVE-2024-49138 and credited to CrowdStrikes Advanced Research Team, the flaw stems from a heap-based buffer overflow in which improper bounds checking lets an attacker overwrite memory in the heap.It is considered relatively trivial to exploit by an attacker who to execute arbitrary code and gain system-level privileges that could be used to execute deeper and more impactful attacks, such as ransomware. Microsoft said it had observed CVE-2024-49138 being exploited in the wild.The CLFS driver is a core Windows component used by applications to write transaction logs, explained Mike Walters, president and co-founder of patch management specialist Action1.This vulnerability enables unauthorised privilege elevation by manipulating the driver's memory management, culminating in system-level access the highest privilege in Windows. Attackers gaining system privileges can perform actions such as disabling security protections, exfiltrating sensitive data, or installing persistent backdoors, he said.Walters explained that any Windows system dating back to 2008 that uses the standard CLFS component is vulnerable to this flaw, making it a potential headache across enterprise environments if not addressed quickly.The vulnerability is confirmed to be exploited in the wild and some information about the vulnerability has been publicly disclosed, but that disclosure may not include code samples, said Ivanti vice president of security products, Chris Goettl.The CVE is rated Important by Microsoft and has a CVSSv3.1 score of 7.8. Risk-based prioritisation would rate this vulnerability as Critical which makes the Windows OS update this month your top priority.In a year that saw Microsoft push over 1,000 bug fixes across 12 months, the second highest volume ever after 2020, as Dustin Childs of the Zero Day Initiative observed, December 2024 will stand out for a notably high volume of Critical vulnerabilities, 16 in total and all, without exception, leading to remote code execution (RCE).A total of nine of these vulnerabilities affect Windows Remote Desktop Services, while three are to be found in the Windows Lightweight Directory Access Protocol (LDAP), two in Windows Message Queuing (MSMQ) and one apiece in Windows Local Security Authority Subsystem Service (LSASS) and Windows Hyper-V.Of these, it is CVE-2024-49112 in Windows LDAP that probably warrants the closest attention, carrying an extreme CVSS score of 9.8 and affecting all versions of Windows since Windows 7 and Server 2008 R2. Left unaddressed, it allows an unauthenticated attacker to achieve RCE on the underlying server.LDAP is commonly seen on servers acting as Domain Controllers in a Windows network and the feature needs to be exposed to other servers, and clients, in an environment in order for the domain to function.Immersive Labs principal security engineer Rob Reeves explained: Microsoft has indicated that the attack complexity is low and authentication is not required.Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately.An attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with System privileges, said Reeves.Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service gaining complete control over the domain.Reeves told Computer Weekly that threat actors, particularly ransomware gangs, will be keenly trying to develop exploits for this flaw in the coming days because taking complete control of a Domain Controller in an Active Directory environment can get them access to every Windows machine on that domain.Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation, he warned.Read more about Patch TuesdayNovember 2024: High-profile vulns in NTLM, Windows Task Scheduler, Active Directory Certificate Services and Microsoft Exchange Server should be prioritised from Novembers Patch Tuesday update.October 2024: Stand-out vulnerabilities in Microsofts latest Patch Tuesday drop include problems in Microsoft Management Consoleand the Windows MSHTML Platform.September 2024: Four critical remote code execution bugs in Windows and three critical elevated privileges vulnerabilitieswill keep admins busy.August 2024: Microsoft patches six actively exploited zero-days among over 100 issuesduring its regular monthly update.July 2024: Microsoft has fixed almost 140 vulnerabilities in its latest monthly update, with a Hyper-V zero-daysingled out for urgent attention.June 2024: An RCE vulnerability in a Microsoft messaging feature and a third-party flaw in a DNS authentication protocol are the most pressing issues to address inMicrosofts latest Patch Tuesday update.May 2024: A critical SharePoint vulnerability warrants attention this month, but it is another flaw that seems to be linked to the infamous Qakbot malwarethat is drawing attention.April 2024: Support for the Windows Server 2008 OS ended in 2020, but four years on and there's a live exploit of a security flawthat impacts all Windows users.March 2024: Two critical vulnerabilities in Windows Hyper-V stand out onan otherwise unremarkable Patch Tuesday.February 2024: Two security feature bypasses impacting Microsoft SmartScreen are on the February Patch Tuesday docket,among more than 70 issues.January 2024: Microsoft starts 2024 right with another slimline Patch Tuesday drop, but there are some critical vulnerabilities to be alert to, including a number ofman-in-the-middle attack vectors.Finally, one little-regarded bug stands out this month, a flaw in Microsoft Muzic, tracked as CVE-2024-49063.The MicrosoftMuzicAI project is an interesting one, observed Ivantis Goettl.CVE-2024-49063is a remote code execution vulnerability in MicrosoftMuzic. To resolve this, CVE developers would need to take the latest build from GitHub to update their implementation.The vulnerability stems from deserialisation of untrusted data, leading to remote code execution if an attacker can create a malicious payload to execute.For those unfamiliar with the project, Microsoft Muzic is an ongoing research project looking at understanding and generating music using artificial intelligence (AI). Some of the projects features include automatic lyric transcription, song-writing and lyric generation, accompaniment generation and singing voice synthesis.
0 Comments
0 Shares
22 Views