December 2024 [Merry FIXmas and a Happy Patched Year]

Summary

In this episode, the hosts discuss various cybersecurity vulnerabilities, particularly focusing on recent CVEs, including CVE-2024-49093, CVE-2024-49132, and CVE-2024-49138. They emphasize the importance of patching systems, especially during the holiday season when companies may be more vulnerable. The conversation highlights the need for awareness around phishing scams and other security threats that tend to increase during this time of year.

Transcript

Ryan Braunstein: Happy Patch Tuesday everyone and happy holidays welcome to another episode of our podcast everyone, it's that special time of year where attackers know a lot of companies are working with skeleton crews. So, Merry Fixmas from Automox. We've got quite the selection of vulns today. But first, let me introduce anyone who's new to the podcast to two of my esteemed coworkers here. Henry.

Henry Smith: Hello, I'm Henry and I'm a Senior Security Engineer here at Automox and I pretty much do whatever Ryan tells me to do.

Seth Hoyt: And I'm Seth Hoyt. I'm also a Senior Security Engineer here. And I tackle a lot of day-to-day stuff and basically anything that comes our way.

Ryan Braunstein: Seth? Yeah, awesome. What are you all feeling? I would say you all are the dream team. Absolutely. Yeah. What are you all feeling about this holiday season with this drop?

Henry Smith: Some could say we're the dream team.

Seth Hoyt: Yes.

Henry Smith:  Spicy, per-use

Ryan Braunstein: Yeah, yeah. I feel like it's just nonstop RCEs all year. mean, it's just, there's so many on every single one of these Patch Tuesdays that we get. It really highlights the necessity of patching your systems and keeping everything up to date. Yeah. Seth, I think you have a really good one to start us off with.

Seth Hoyt: Yep. Yeah, let's dive in. So first one we got CVE-2024-49093 and this is a Windows Resilient File System, REFS, Elevation of Privilege Vulnerability. Now this guy, first off the REFS file system was actually developed for Windows Server 2012. It has since been integrated into Windows 10 and 11.

So since that is now on those operating systems, we've got to cover all those bases. Now, this specific vulnerability, it involves a scope change. And specifically, in this case, the attacker can start from a low-privilege app container environment, which those typically restrict execution just designed to isolate processes and limit their access to other resources. So this vulnerability allows the attacker to elevate their privileges, obviously gaining access to a broader system level. So with the privilege escalation, the attacker will move from a lower privilege container to a higher privilege container, therefore granting them their elevated privileges and then also giving them access to additional resources, things like anything on the system from files, memory processes, things that are outside of the app container. So the other things with REFS, just to make sure we understand, mean, there's some of the features there.

You got your data resilience, scalability improved performance, storage efficiency, things like that. So that does a lot in the Windows environment, especially within virtualization, databases, backups, storage spaces, things like that. So that's a brief on REFS. The impact here is now going to be if you have those systems, like specifically Windows servers, then you can get in a situation where an attacker has escalated their privileges and then they can start going east-west affecting other servers and things like that. that is, you know, that's what makes this one pretty dangerous. Now, you know, that being said, there haven't been any cases of this being exploited yet, but it's something to keep an eye out for and, you know, make sure you stay patched.

Ryan Braunstein: Cool. Anything to add? Yeah.

Henry Smith: Yeah, thanks for that to say thanks for that bit of background because REFS that's a technology that I have like almost no knowledge of so that's something that I need to look into now.

Seth Hoyt: Yeah, absolutely.

Ryan Braunstein: Yeah, definitely. Cool. Yeah, my vulnerability for today is CVE-2024-49132. It is a Windows Remote Desktop Services Remote Code Execution vulnerability. I feel like there's always some kind of Remote Desktop Services RCE or something coming around with it. This one's a little more nuanced. It's pretty advanced vulnerability, but I'm sure over time, you know, there will be easier exploits for it. It's basically, it leads to like a use after free scenario. And for anyone who needs a little insight around that use after free means under certain timing conditions, the system will reuse the freed memory from a program or application or process and allows the attacker to remotely execute their code.

So in this one, it's a race condition where it requires really precise timing to exploit it. If the user connects through the remote desktop gateway role, they can force that use after free condition. Like they get a win there, they can arbitrarily run their code. And there's not really any reliable work around for this besides patching your systems. And I definitely always stress in these scenarios where the complexity is high now like always be aware that it's just going to get easier when people develop like easier exploitations around it so to speak so but yeah this one it's it's spicy but you know it's there's a lot of effort to get to it so but yeah so any insight on that you all or any questions? Yeah.

Henry Smith: No. Nothing beyond what you said.

Ryan Braunstein: Yeah, it's it is what it is. It's kind of an is what is it it is what it is kind of situation. But yeah. Henry.

Henry Smith: Well, speaking of exploitability, so if you look at CVE-2024-49138, it's the Windows Common Log File System Driver Elevation of Privilege Vulnerability. Now, as I just said, this one is showing exploitations been detected and it is publicly disclosed. From what I can see, it looks like CrowdStrike actually did the research to find this one. And I imagine that they have plenty of data to show that it's being exploited. I definitely keep your eye out for that one. And it even looks to affect everything going back to like Windows Server 2008. And it reads that an attacker who successfully exploits this vulnerability could gain system privileges, which does check out from what I know about the Common Log File System Driver or CLFS as I'll call it from now on. It's essentially just a logging service that can be used in user or kernel mode. There's not much detail at the time, but I would wager that the root issue is probably related to data validation per usual. I feel like that's something I always talk about every time I'm on the podcast. And I mainly say that because I was just reading a Microsoft blog from August 24th about CLFS and some security vulnerabilities and mitigations that were coming out. And the blog stated that there have been 24 CVEs reported in the last five years around CLFS, and 19 of them involved exploiting a logic bug caused by, you guessed it, improper data validation. And at least three of them had active exploits.

So we're also not certain right now like what the attack surface would be yet, but I can only assume the bug is probably triggered by an attacker, you know, using a Windows API of some sort like the CLFS API itself, or even like a file system API to craft or corrupt a log file to contain badness. So you're really keen to see what other kind of research comes out from this one and not seeing any workarounds at this point other than of course patching. So to Ryan's point earlier, patch, patch, patch.

Ryan Braunstein: Yeah, and definitely, tis the season to get popped. Like it really, it really is. I just, I always stress this so much around the holidays. you know, November and December are just big times for people to get popped because they're either working on skeleton crews, they're distracted by family, what have you. It's, and attackers know it. So.

Henry Smith: Ha!

Seth Hoyt: Yeah, they really ramp up their phishing efforts around this time of year too. You got to watch out for gift card scams and fake UPS notifications. It's like, you're expecting a ton of packages this time of year, right? So they know that. They're going to pump in those phishing numbers up. So yeah, you just got to be really careful always, but especially around the holidays.

Ryan Braunstein: Just, yeah. Yeah. Yeah, they gotta pump them numbers. Well, that'll about do it us for today. But everyone, we hope you have great holiday season and we hope you all are safe out there. So from all of us over here, have a good one.

Henry Smith: Happy Holidays!

Ryan Braunstein: Happy holidays.

Seth Hoyt: See ya.