Breaking Down the Latest December 2024 Patch Tuesday Report

Microsoft has wrapped up 2024 by addressing 73 vulnerabilities in its December Patch Tuesday security updates. This release includes fixes for one actively exploited zero-day vulnerability, with 16 flaws rated as Critical and 54 as Important severity across Windows, Office, Dynamics, Azure, and other products.

Among the highlights is an actively exploited zero-day vulnerability (CVE-2024-49138) in the Windows Common Log File System Driver that could allow attackers to gain SYSTEM privileges. The critical vulnerabilities include multiple remote code execution flaws affecting Windows Remote Desktop Services, Windows LDAP, LSASS, Message Queuing, and Hyper-V components.

This month also sees patches for key products including Windows Server, Microsoft Office, SharePoint, Exchange Server, Azure, and Dynamics 365. Notable fixes address remote code execution vulnerabilities in Office, information disclosure in Windows components, and multiple elevation of privilege flaws across the Windows ecosystem.

In this monthly report, we'll analyze the zero-day threat along with other critical security issues addressed. Our analysis covers severity ratings, exploitation vectors, and remediation guidance to help prioritize patching. Whether you manage Windows clients, servers, or cloud services, applying these final security updates helps secure environments as 2024 comes to a close.

Key Highlights - Patch Tuesday December 2024

In December's Patch Tuesday, Microsoft addressed 73 flaws, including one actively exploited zero-day vulnerability. This update included patches across categories like elevation of privilege, remote code execution, spoofing, denial of service, and information disclosure vulnerabilities.

The key affected products in this release span across Microsoft's product range, including Windows, Office, Exchange Server, Azure, Dynamics, and others. It is crucial for administrators and end users to apply these security updates promptly to protect their systems from these vulnerabilities.

Key Highlights are:

Zero-day Vulnerabilities Patched in December 2024

One zero-day vulnerability was addressed in Microsoft's December Patch Tuesday release. This vulnerability is notable because it was being actively exploited in the wild prior to patches being made available.

CVE-2024-49138 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

Vulnerability type: Elevation of Privilege

Affected product: Windows Common Log File System Driver

CVSS v3 base score: 7.8

Severity rating: Important

The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user or kernel mode. CLFS has applications in data management, database systems, messaging, Online Transactional Processing (OLTP) systems, and other types of transactional systems.

The vulnerability allows attackers to gain SYSTEM privileges on Windows devices. While Microsoft has not released detailed information about how the flaw was exploited in attacks, the weakness is classified as CWE-122: Heap-based Buffer Overflow, which typically leads to crashes or denial of service but can also enable code execution.

This marks the first CLFS zero-day vulnerability Microsoft has published in 2024, following a series of similar CLFS zero-days in recent years including CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252. The vulnerability was discovered by the Advanced Research Team at CrowdStrike.

CISA has added CVE-2024-49138 to its Known Exploited Vulnerabilities Catalog and has requested organizations to patch it before December 31, 2024.

The persistent discovery of zero-day vulnerabilities in CLFS suggests that unless Microsoft performs a complete replacement of the aging CLFS codebase rather than implementing specific fixes, more such vulnerabilities may emerge in the future. Patches are available for all supported versions of Windows.

Based on the information from the documents, here's a summary table of the zero-day vulnerability reported in December 2024:

Critical Vulnerabilities Patched in December 2024

Among the 73 vulnerabilities patched this month, 16 were rated as Critical, all being remote code execution vulnerabilities. Let's examine the most significant critical flaws:

CVE-2024-49117 - Windows Hyper-V Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Windows Hyper-V

CVSS v3 base score: 8.8

Severity rating: Critical

Windows Hyper-V is a Microsoft virtualization technology that allows users to create and run Virtual Machines (VMs) on a physical host. An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources on the VM to exploit the vulnerability. Successful exploitation could result in a cross-VM attack, compromising multiple virtual machines and expanding the attack's impact beyond the initially targeted VM.

CVE-2024-49124 - Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: LDAP Client

CVSS v3 base score: 8.1

Severity rating: Critical

An unauthenticated attacker must win a race condition and send a specially crafted request to a vulnerable server to exploit this vulnerability. The LDAP protocol operates above the TCP/IP stack and helps connect, browse, and edit online directories. Successful exploitation could allow an attacker to execute code in the context of the SYSTEM account.

CVE-2024-49126 - Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Windows LSASS

CVSS v3 base score: 8.1

Severity rating: Critical

LSASS is responsible for enforcing security policy on Windows systems, handling tasks such as user authentication and password changes. An unauthenticated attacker must win a race condition to exploit the vulnerability. Successful exploitation could result in remote code execution in the context of the server's account through a network call.

CVE-2024-49122 & CVE-2024-49118 - Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Vulnerability type: Remote Code Execution

Affected product: Microsoft Message Queuing

CVSS v3 base score: 8.1

Severity rating: Critical

These vulnerabilities affect the Message Queuing protocol, which ensures reliable communication between Windows computers across different networks. To exploit these vulnerabilities, an attacker must send a malicious MSMQ packet to an MSMQ server. Successful exploitation could enable remote code execution on the server side.

CVE-2024-49112, CVE-2024-49127 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerabilities

Vulnerability type: Remote Code Execution

Affected product: Windows LDAP

CVSS v3 base score: 9.8, 8.1

Severity rating: Critical

These critical vulnerabilities in Windows LDAP could allow an unauthenticated attacker to execute arbitrary code by sending specially crafted LDAP calls. Successful exploitation could result in code execution within the context of the SYSTEM account.

Windows Remote Desktop Services Remote Code Execution Vulnerabilities

Nine critical remote code execution vulnerabilities were patched in Windows Remote Desktop Services (CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132). These vulnerabilities could allow an attacker to perform remote code execution by connecting to a system with the Remote Desktop Gateway role and triggering a race condition to create a use-after-free scenario.

Based on the information from the documents, here's a summary table of the critical vulnerabilities reported in December 2024:

Vulnerabilities by Category

In total, 73 vulnerabilities were addressed in December's Patch Tuesday. Remote Code Execution flaws top the list with 30 patches, followed by Elevation of Privilege with 27 vulnerabilities. The rest consist of 7 Information Disclosure, 5 Denial of Service, and 1 Spoofing vulnerability.

Here is the breakdown of the categories patched this month:

The table below shows the CVE IDs mapped to these vulnerability types from Microsoft's December 2024 Patch Tuesday:

List of Products Patched in December 2024 Patch Tuesday Report

Microsoft's December 2024 Patch Tuesday includes updates for a broad range of its products, applications, and services. Here are the applications and product components that have received patches:

Complete List of Vulnerabilities Patched in December 2024 Patch Tuesday.

Download the complete list of vulnerabilities by products patched in December 2024 Patch Tuesday here. 

Browser vulnerabilities

Developer Tools vulnerabilities

Microsoft Office vulnerabilities

System Center vulnerabilities

Windows vulnerabilities

Windows ESU vulnerabilities

Bottom Line

Microsoft's December 2024 Patch Tuesday addressed 73 vulnerabilities, including one actively exploited zero-day flaw that allows attackers to gain SYSTEM privileges on Windows devices.

This release fixed a variety of vulnerability types, with remote code execution flaws being most prevalent at 30 instances followed by elevation of privilege issues with 27 patches. Among the notable critical bugs are remote code execution vulnerabilities in Windows Remote Desktop Services, LDAP, LSASS, Message Queuing, and a Hyper-V container escape vulnerability.

The critical vulnerabilities addressed this month consist of:

The actively exploited zero-day vulnerability (CVE-2024-49138) in the Windows Common Log File System Driver represents an ongoing threat that administrators should prioritize patching.

In total, Microsoft addressed:

We aim to keep readers informed each month in our Patch Tuesday reports. Please follow our website thesecmaster.com or subscribe to our social media pages on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram to receive similar updates.

You may also like these articles: