Automox Experts Review 71 Vulnerabilities

The holiday season brings joy, celebration, and for cybersecurity professionals, a Patch Tuesday filled with a list of vulnerabilities that demand attention. December 2024 is no exception, with a lineup of 70 vulnerabilities (and 1 advisory) that highlight the importance of vigilance in protecting your systems.

While attackers are counting on organizations to be distracted, you can count on timely patches to keep systems and data secure. Before diving into this month's vulnerabilities, let's see how this month's Patch Tuesday stacks up.

Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Resilient File System (ReFS) is a file system designed by Microsoft for enhanced scalability and fault tolerance. Originally developed for Windows Server 2012, it has since been integrated into client operating systems like Windows 10 and 11.

ReFS provides features like data resilience, storage efficiency, and improved performance, making it an essential component in virtualization environments, databases, and backups.

CVE-2024-49093 (CVSS 8.8/10) revolves around a scope change (SC) that allows an attacker to elevate privileges from a low-privilege app container environment. Normally, app containers are designed to limit a process’s ability to access files, memory, and other resources. Exploiting this vulnerability enables attackers to escape those confines, gaining broader system-level access. This means they can interact with files, processes, and memory previously out of reach.

If an attacker successfully exploits this flaw, they could use the elevated privileges to move laterally across the environment, accessing sensitive data and potentially compromising additional systems. While it appears there haven’t been any active exploitations of this vulnerability yet, the potential impact underscores why patching is critical.

— Seth Hoyt, Senior Security Engineer, Automox

Windows Remote Desktop Services Remote Code Execution Vulnerability

CVE-2024-49132 (CVSS 8.1/10) affects Windows Remote Desktop Services and enables remote code execution by exploiting a "use-after-free" condition. A use-after-free occurs when a program reuses memory that has already been freed—an oversight enabling attackers to execute arbitrary code.

The exploit requires precise timing, making it an advanced attack. Specifically, if a user connects through the Remote Desktop Gateway role, an attacker could intentionally trigger the use-after-free scenario. Successfully exploited, this vulnerability can allow attackers to execute their code remotely, gaining control of the system.

While the technical requirements make this vulnerability difficult to exploit today, attackers are continually refining their methods. Over time, it's likely they’ll develop tools that simplify the attack process. Until then, there are no effective workarounds, making immediate patching your best chance to mitigate this risk. For environments relying on Remote Desktop Services, staying ahead of emerging exploitation techniques is key.

– Ryan Braunstein, Security Manager, Automox

Windows Common Log File System Driver Elevation of Privilege Vulnerability

The Common Log File System (CLFS) driver faces yet another challenge with CVE-2024-49138, an elevation of privilege vulnerability (CVSS 7.8/10). Exploitation of this flaw has already been detected, and public disclosure suggests that attackers are actively leveraging it.

CLFS is a logging service that supports user and kernel mode operations. While the details are still limited, the root cause likely ties back to improper data validation. This isn't surprising—about 19 out of the 24 CLFS-related CVEs in the past five years stemmed from logic bugs involving flawed data validation. At least three of those vulnerabilities had active exploits, further illustrating the need for robust patching.

Early indicators suggest that attackers might exploit this bug by using Windows APIs to manipulate log files or corrupt log data, triggering the vulnerability. The potential impact is substantial; successfully exploiting this error can grant SYSTEM-level privileges, effectively giving attackers complete control. With no feasible workarounds identified, immediate attention is necessary for any system running Windows Server, even those dating back to 2008.

– Henry Smith, Senior Security Engineer, Automox