![Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/video-ATTCK2-1)
![Qatar’s Commercial Bank Chooses CrowdStrike Falcon®: A Partnership Based on Trust [VIDEO]](https://assets.crowdstrike.com/is/image/crowdstrikeinc/Edward-Gonam-Qatar-Blog2-1)
Microsoft has released security updates for 71 vulnerabilities in its December 2024 Patch Tuesday rollout. Among these are 16 Critical vulnerabilities and one zero-day affecting the Windows Common Log File System (CVE-2024-49138). The zero-day was identified by the CrowdStrike Counter Adversary Operations’ Advanced Research Team.
This month’s leading risk type by exploitation technique is remote code execution (RCE) with 42%, followed by elevation of privilege (38%).
Figure 1. Breakdown of December 2024 Patch Tuesday exploitation techniques
Figure 2. Breakdown of product families affected by December 2024 Patch Tuesday
CVE-2024-49138 is a privilege escalation vulnerability within the Microsoft Windows Common Log File System (CLFS) driver, categorized as Important in severity. CrowdStrike Counter Adversary Operations discovered and privately reported this vulnerability to Microsoft, which subsequently acknowledged, patched and confirmed its active exploitation in the wild.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2024-49138 | Windows Common Log File System Elevation of Privilege Vulnerability |
CVE-2024-49112 is a Critical RCE vulnerability affecting the Windows LDAP Client with a CVSS score of 9.8. This vulnerability could allow an unprivileged attacker to run arbitrary code on an Active Directory Server by sending a specialized set of LDAP calls to the server. Microsoft recommends that all Active Directory servers be configured to not accept Remote Procedure Calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the significant risk this vulnerability poses to the Active Directory environment, it should be mitigated and patched quickly.
CVE-2024-49124 is a Critical RCE vulnerability affecting the Windows LDAP Client with a CVSS score of 8.1. Successful exploitation of this vulnerability would allow an unauthenticated remote attacker to use a specially crafted packet to leverage a cryptographic protocol within Windows Kerberos to carry out RCE.
CVE-2024-49127 is a Critical RCE vulnerability in the Windows LDAP Client with a CVSS score of 8.1. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation of this vulnerability requires an attacker to win a race condition, which could then allow the attacker to execute code in the SYSTEM account.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2024-49112 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2024-49124 | Windows Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2024-49127 | Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability |
CVE-2024-49117 is a Critical RCE vulnerability affecting Windows Hyper-V with a CVSS score of 8.8. This vulnerability would require an authenticated attacker on a guest virtual machine (VM) to send specially crafted file operation requests on the VM to hardware resources on the VM, which could result in RCE on the host server. This vulnerability, while described as "remote," actually requires local access to exploit. It allows arbitrary code execution, but the vulnerable endpoint is only accessible through the local VM interface, meaning an attacker must already have access to the local machine to carry out the attack.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.8 | CVE-2024-49117 | Windows Hyper-V |
CVE-2024-49118 and CVE-2024-49122 are Critical RCE vulnerabilities affecting Microsoft Message Queuing (MSMQ) and both have a CVSS score of 8.1. Successful exploitation of these vulnerabilities requires an attacker to win a race condition. An attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in RCE on the server side.
MSMQ has been highlighted in past CrowdStrike Patch Tuesday blogs and continues to see vulnerabilities disclosed. MSMQ represents an attractive target for attackers due to its prevalent use of high-availability services such as Active Directory. The Windows message queuing service needs to be enabled, and network traffic allowed on TCP port 1801, for an attacker to successfully exploit this vulnerability on a target system. In addition to patching, Microsoft recommends checking if the “Message Queuing” service is running and TCP port 1801 is listening on the machine; if the service is running and not being utilized, consider disabling.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2024-49118 | Microsoft Message Queuing Remote Code Execution Vulnerability |
| Critical | 8.1 | CVE-2024-49122 | Microsoft Message Queuing Remote Code Execution Vulnerability |
CVE-2024-49126 is a Critical RCE vulnerability affecting Windows Local Security Authority Subsystem Service (LSASS) with a CVSS score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability allows an attacker to remotely execute arbitrary code on a server without requiring special privileges or user interaction. The attacker can exploit this weakness through a network call, potentially gaining control over the server by running malicious code in the context of the server's account.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2024-49126 | Windows Local Security Authority Subsystem Service (LSASS) |
The following nine vulnerabilities are Critical RCE vulnerabilities affecting Windows Remote Desktop Services, and all have a CVSS score of 8.1. An attacker could successfully exploit these vulnerabilities by connecting to a system with the Remote Desktop Gateway role, triggering a race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.1 | CVE-2024-49106 | Windows Remote Desktop Services Remote Code Execution Vulnerability |
| CVE-2024-49108 | |||
| CVE-2024-49115 | |||
| CVE-2024-49116 | |||
| CVE-2024-49119 | |||
| CVE-2024-49120 | |||
| CVE-2024-49123 | |||
| CVE-2024-49128 | |||
| CVE-2024-49132 |
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
