Introduction
A critical security vulnerability [4], CVE-2024-49138 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], has been identified in the Microsoft Windows Common Log File System (CLFS) Driver [5] [8]. This zero-day vulnerability poses significant risks to Windows systems, necessitating immediate attention and action from organizations to mitigate potential exploitation.
Description
A critical Windows zero-day vulnerability [4] [5], tracked as CVE-2024-49138 [5] [8] [10], has been identified in the Microsoft Windows Common Log File System (CLFS) Driver [5] [8], which serves as a logging service for both user-mode and kernel-mode software clients [6]. This heap-based buffer overflow vulnerability [4] [8] [9], categorized as CWE-122 [6], arises from improper bounds checking, allowing local attackers to overwrite memory in the heap and execute arbitrary code [4], thereby elevating their privileges to SYSTEM on the target host [9]. The flaw affects nearly all Windows devices, including Windows 10 Version 21H2 [7], Windows 11 Version 22H2 [7], and various versions of Windows Server [8]. With a CVSS score of 7.8 [1] [4] [5], this elevation of privilege flaw poses significant risks, including the potential to disable security protections, exfiltrate sensitive data [4], or install persistent backdoors [4]. The attack vector is local [9], enabling exploitation through direct access to the system or by tricking users into executing malicious actions [9], such as opening a harmful document [9]. This significant vulnerability is currently being exploited in the wild [2], underscoring the urgency for organizations to apply the patch immediately to safeguard their systems before the holiday season. Specific details regarding the extent or location of the exploitation have not been disclosed [10], but it potentially allows attackers to manipulate log files or corrupt log data [5], leading to SYSTEM-level privileges on Windows Server [5]. Notably, this marks the first CLFS zero-day vulnerability published by Microsoft in 2024 [6], following a series of similar vulnerabilities in previous years [6], including CVE-2022-24521 [5] [6], CVE-2023-23376 [1] [6], CVE-2022-37969 [6], and CVE-2023-28252 [1] [6]. Patches addressing this vulnerability are available for all supported versions of Windows OS and Windows Server.
In addition to CVE-2024-49138 [5], the December update addresses two other vulnerabilities in the CLFS driver: CVE-2024-49090 and CVE-2024-49088, both rated as important with a CVSS score of 7.8 and assessed as “Exploitation More Likely” by Microsoft’s Exploitability Index [1]. The update also features several critical vulnerabilities [5], including CVE-2024-49112 [5], an unauthenticated remote code execution (RCE) issue in the Windows Lightweight Directory Access Protocol (LDAP) with a CVSS score of 9.8 [5], allowing cyberattackers to compromise Domain Controllers through specially crafted LDAP calls [5]. Another critical RCE vulnerability [5], CVE-2024-49117 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], affects Windows Hyper-V [5] [8], enabling code execution on the host OS from a guest virtual machine with basic authentication [5].
Furthermore, nine critical vulnerabilities impact Windows Remote Desktop Services [5], including CVE-2024-49132 [5], which allows RCE through a use-after-free memory condition [5]. Security experts have also highlighted CVE-2024-49093 [5], an elevation of privilege (EoP) vulnerability in the Windows Resilient File System (ReFS) [1] [5] [6], and CVE-2024-49063 [1] [5] [8] [10], an RCE vulnerability in the AI research project Musik [5], both of which pose significant risks to system security [5]. Notably, CLFS driver vulnerabilities have been frequently targeted by ransomware operators in recent years [1], with ten such vulnerabilities patched in 2023, including two that were exploited as zero-days (CVE-2023-28252 and CVE-2023-23376) [1]. This marks the ninth vulnerability in the Windows CLFS driver patched in 2024 [1], underscoring a concerning trend where elevation of privilege flaws are often exploited in conjunction with code execution vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-49138 to its Known Exploited Vulnerabilities list [10], highlighting the critical nature of addressing this security issue. Organizations and individuals are strongly advised to apply the updates promptly through Windows Update or other tools to mitigate potential exploitation risks [7].
Conclusion
The discovery of CVE-2024-49138 and related vulnerabilities highlights the ongoing challenges in maintaining Windows system security. Immediate patching is crucial to prevent exploitation, especially given the active exploitation of these vulnerabilities. Organizations must remain vigilant, ensuring timely updates and adopting robust security measures to protect against future threats. The trend of targeting CLFS driver vulnerabilities by malicious actors underscores the need for continuous monitoring and proactive defense strategies.
References
[1] https://www.tenable.com/blog/microsofts-december-2024-patch-tuesday-addresses-70-cves-cve-2024-49138
[2] https://www.pdq.com/blog/patch-tuesday-december-2024/
[3] https://redmondmag.com/Articles/2024/12/10/Microsoft-Ends-2024-with-1-Zero-Day-Flaw.aspx
[4] https://www.computerweekly.com/news/366617075/Dangerous-CLFS-and-LDAP-flaws-stand-out-on-Patch-Tuesday
[5] https://www.darkreading.com/application-security/microsoft-zero-day-critical-rces-patch-tuesday
[6] https://www.rapid7.com/blog/post/2024/12/10/patch-tuesday-december-2024/
[7] https://cybersecuritynews.com/microsoft-patch-tuesday-december-2024/
[8] https://www.theverge.com/2024/12/10/24318141/microsoft-just-released-a-patch-for-an-actively-exploited-zero-day-vulnerability-in-windows
[9] https://www.helpnetsecurity.com/2024/12/10/december-2024-patch-tuesday-microsoft-zero-day-cve-2024-49138/
[10] https://cyberscoop.com/microsoft-patch-tuesday-december-2024/
