Closing out 2024, Microsoft's December Patch Tuesday highlights the importance of year-end maintenance with updates tackling critical vulnerabilities. As cyber threats remain persistent, these patches serve as a vital reminder of the ongoing need for robust system security.

Microsoft Patch Tuesday for December 2024

Microsoft Patch's Tuesday, December 2024 edition addressed 73 vulnerabilities, including 16 critical and 54 important severity vulnerabilities. In this month's updates, Microsoft has addressed one zero-day vulnerability known to be exploited in the wild.

Microsoft has addressed two vulnerabilities in Microsoft Edge (Chromium-based) in this month's updates.

Microsoft Patch Tuesday, December edition includes updates for vulnerabilities in Microsoft Defender for Endpoint, Windows Hyper-V, Windows Cloud Files Mini Filter Driver, Windows Remote Desktop, Windows Message Queuing, Windows Mobile Broadband, Windows Kernel-Mode Drivers, and more.

Microsoft has fixed several flaws in multiple software, including Spoofing, Denial of Service (DoS), Elevation of Privilege (EoP), Information Disclosure, and Remote Code Execution (RCE).

The December 2024 Microsoft vulnerabilities are classified as follows:

Zero-day Vulnerabilities Patched in December Patch Tuesday Edition

The Common Log File System (CLFS) is a general-purpose logging service used by software clients running in user or kernel mode. CLFS can be used for data management, database systems, messaging, Online Transactional Processing (OLTP) systems, and other kinds of transactional systems.

Upon successful exploitation, an attacker could gain SYSTEM privileges.

CISA added the CVE-2024-49138 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 31, 2024.

Critical Severity Vulnerabilities Patched in December Patch Tuesday Edition

Windows Hyper-V is a Microsoft virtualization technology that allows users to create and run Virtual Machines (VMs) on a physical host.

An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources on the VM to exploit the vulnerability. Upon successful exploitation, an attacker may execute a cross-VM attack, compromising multiple virtual machines and expanding the attack's impact beyond the initially targeted VM.

The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. The LDAP directory service is based on a client-server model that enables access to an existing directory. LDAP stores data in the directory and authenticates users to access the directory.

An unauthenticated attacker must win a race condition and send a specially crafted request to a vulnerable server to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute code in the context of the SYSTEM account.

Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens.

An unauthenticated attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may result in remote code execution in the context of the server's account through a network call.

CVE-2024-49122 & CVE-2024-49118 : Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages).

To exploit this vulnerability, an attacker must send a malicious MSMQ packet to an MSMQ server. On successful exploitation, an attacker may perform remote code execution on the server side.

An unauthenticated attacker may exploit the vulnerability by sending a specially crafted set of LDAP calls. Upon successful exploitation an attacker may execute arbitrary code within the context of the LDAP service.

An unauthenticated attacker may send a specially crafted request to a vulnerable server. Successful exploitation of the vulnerability may result in remote code execution in the context of the SYSTEM account.

Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process.

An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Other Microsoft Vulnerability Highlights

• CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution.
• CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges.
• CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
• CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in theWindows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Microsoft Release Summary

This month's release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, System Center Operations Manager, Microsoft Office, Microsoft Edge (Chromium-based), Microsoft Office SharePoint, GitHub, Microsoft Office Word, Microsoft Office Excel, Windows Task Scheduler, Windows Remote Desktop Services, Windows Virtualization-Based Security (VBS) Enclave, Microsoft Office Publisher, Windows IP Routing Management Snapin, Windows Wireless Wide Area Network Service, Windows File Explorer, Windows Kernel, Windows Routing and Remote Access Service (RRAS), Windows Common Log File System Driver, DNS Server, Windows Resilient File System (ReFS), Windows PrintWorkflowUserSvc, Remote Desktop Client, WmsRepair Service, Windows LDAP - Lightweight Directory Access Protocol, Windows Local Security Authority Subsystem Service (LSASS), and Microsoft Office Access.

With Qualys Policy Compliance's Out-of-the-Box Mitigation or Compensatory Controls reduce the risk of a vulnerability being exploited because the remediation (fix/Patch) cannot be done now. These security controls are not recommended by industry standards such as CIS, DISA-STIG.

Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of exploitation of a vulnerability.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn't working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.

The next Patch Tuesday falls on January 14, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to 'This Month in Vulnerabilities and Patch's webinar.'

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management Detection Response (VMDR) and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month's high-impact vulnerabilities, including those that are a part of this month's Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.

Join the webinar

This Month in Vulnerabilities & Patches

Related

Public link

Please use the above public link if you want to share this noodl on another website.