Patch Tuesday December 2024 Updates – Vulnerability Digest from Action1
This digest explains the most serious vulnerabilities in popular Windows software that have been patched over the past month.
For even more information, join our next Patch Tuesday webinar and visit our Patch Tuesday Watch page.
Microsoft Vulnerabilities
This final Patch Tuesday of 2024 delivers 70 vulnerability fixes from Microsoft, a noticeable decrease compared to the previous month, possibly signaling a seasonal slowdown as the year nears its end. Among these, 16 are classified as critical. Notably, only one zero-day vulnerability has been addressed, and it includes a proof of concept. Below are the highlights of the most noteworthy critical updates.
Windows Common Log File System Driver Elevation of Privilege Vulnerability (CVE-2024-49138)
CVE-2024-49138 is a zero-day Elevation of Privilege (EoP) vulnerability in the Windows Common Log File System (CLFS) driver. This vulnerability stems from a heap-based buffer overflow (CWE-122), where improper bounds checking allows attackers to overwrite critical memory sections in the heap. By exploiting this flaw, attackers can execute arbitrary code, leading to privilege escalation.
The CLFS driver is a core Windows component used by applications to write transaction logs. This vulnerability enables unauthorized privilege elevation by manipulating the driver’s memory management, culminating in SYSTEM-level access—the highest privilege in Windows. Attackers gaining SYSTEM privileges can perform actions such as disabling security protections, exfiltrating sensitive data, or installing persistent backdoors.
Key Details:
- Attack Vector: Local (requires local access to the target system)
- Attack Complexity: Low (accessible to a broad range of attackers due to straightforward exploitation)
- Privileges Required: Low (requires only non-administrative access to initiate)
- User Interaction: None (no user involvement needed for exploitation)
- Public Disclosure: Yes
- Exploited in the Wild: Yes, with a proof of concept available
Impact:
This vulnerability affects all Windows systems utilizing the CLFS driver, including both client and server versions, making it a significant threat in enterprise environments. Successful exploitation grants SYSTEM-level privileges, enabling attackers to:
- Execute unauthorized actions
- Disable security protections
- Access sensitive data
- Install persistent backdoors
If paired with a vulnerability enabling remote access, this flaw could allow attackers to compromise internal systems on a large scale.
Severity:
CVSS Base Score: 7.8 (High)
CVSS Temporal Score: 6.8
These scores highlight the critical risk associated with privilege escalation, especially when SYSTEM privileges are involved.
CVE-2024-49138 represents a serious security threat due to its ability to escalate privileges to SYSTEM level, facilitating complete system compromise. With verified exploitation already occurring, immediate action is critical to prevent breaches and minimize associated risks.
Remote Desktop Services: Critical Remote Code Execution Vulnerabilities
This Patch Tuesday includes nine critical remote code execution vulnerabilities in Remote Desktop Services, all of which could lead to system compromise and significant security breaches. Below is an overview of the vulnerabilities:
CVE-2024-49132, CVE-2024-49115, CVE-2024-49108, CVE-2024-49106, CVE-2024-49128
Weaknesses:
- CWE-591: Sensitive Data Storage in Improperly Locked Memory
- CWE-416: Use After Free
Summary:
Exploitable through malformed data, these vulnerabilities trigger a use-after-free condition in improperly locked memory, resulting in remote code execution on the gateway.
Key Details:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
CVE-2024-49123
Weakness:
CWE-591: Sensitive Data Storage in Improperly Locked Memory
Summary:
Improperly secured memory can expose sensitive data or allow manipulation during RDP sessions, leading to remote code execution.
Key Details:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
CVE-2024-49120
Weakness:
CWE-453: Insecure Default Variable Initialization
Summary:
Exploitable during runtime, inadequately initialized variables can alter the application’s execution flow.
Key Details:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
CVE-2024-49119
Weakness:
CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’)
Summary:
Improper resource handling during RDP sessions allows attackers to induce errors and execute code.
Key Details:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
CVE-2024-49116
Weakness:
CWE-416: Use After Free
Summary:
Similar to CVE-2024-49132 and CVE-2024-49128, involving use-after-free weaknesses leading to code execution.
Key Details:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
Key Observations:
- Critical Impact: All vulnerabilities enable remote code execution, allowing attackers to execute arbitrary code remotely without physical access.
- High Complexity: While exploitation requires precise conditions, such as winning race conditions, these vulnerabilities remain a risk in unprotected environments.
- No Privileges Required: Attackers do not need elevated access, making these vulnerabilities highly appealing.
- Mitigating Factors: Currently, none of the vulnerabilities are publicly disclosed or exploited in the wild, and their complexity reduces the likelihood of exploitation.
Systemic Concerns with RDP:
These vulnerabilities underscore persistent issues in RDP components, including memory management, timing, and operational handling. While CWE-416 and CWE-591 dominate, vulnerabilities like CWE-453 and CWE-843 highlight varied root causes, showing attackers can exploit different facets of RDP services.
Organizations should avoid exposing RDP services to the global internet and implement robust security controls to mitigate risks. These flaws further prove the dangers of leaving RDP open and unprotected.
Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability (CVE-2024-49112)
CVE-2024-49112 is a critical remote code execution (RCE) vulnerability in the Windows Lightweight Directory Access Protocol (LDAP) service. The weakness stems from an Integer Overflow or Wraparound (CWE-190), where improper integer arithmetic handling could allow attackers to manipulate memory allocations during LDAP operations. Windows Server systems acting as domain controllers (DCs) are especially at risk, given their crucial role in managing directory services.
Key Details:
- Severity: Critical (CVSS base score: 9.8)
- Potential Impact: Full system compromise through arbitrary code execution with elevated privileges.
- Attack Vector: Network-based, enabling remote exploitation without physical proximity.
- Attack Complexity: Low, making the vulnerability relatively easy to exploit.
- Privileges Required: None, requiring no prior authentication or access.
- User Interaction: None, simplifying the attack further.
- Exploitability: Not publicly disclosed or actively exploited in the wild at the time of reporting, with exploitation assessed as less likely.
Risks:
Exploitation could lead to severe operational disruptions and data breaches, particularly in environments leveraging LDAP for access and authentication. The vulnerability could also be chained with other flaws, such as privilege escalation or lateral movement vulnerabilities, enabling more complex and widespread attacks. For example, an attacker could use another exploit to plant malicious payloads and then propagate the attack via LDAP RCE across networked systems.
At-Risk Environments:
Organizations with public-facing domain controllers or insufficiently segmented networks are especially vulnerable. Given the widespread use of Windows Server for directory and identity management, this vulnerability poses risks to enterprises of all sizes globally, from small businesses to large corporations.
CVE-2024-49112 represents a critical security concern for organizations relying on Windows Server. Immediate mitigations and the application of patches from Microsoft are essential to protect against potential exploitation and its far-reaching consequences.
Google Chrome
Version 131 of Google Chrome addresses 12 security vulnerabilities, many of which were identified through automated testing tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, LibFuzzer, and AFL.
One vulnerability, rated as high severity, involves a flaw in the Blink engine’s code for handling browser extensions. However, no critical issues were identified that could bypass all layers of browser protection and execute code outside the sandbox environment.
As part of its bounty program, Google has awarded eight $1,000 bounties for vulnerabilities addressed in this release, with the amounts for seven additional rewards yet to be determined.
Mozilla Firefox
Version 133 of Firefox resolves 18 security vulnerabilities, including three rated as critical. Four of the vulnerabilities are related to memory handling issues, such as buffer overflows and use-after-free errors, which could allow attackers to execute malicious code by tricking users into opening specially crafted web pages.
Key vulnerabilities include:
- CVE-2024-11691: An out-of-bounds write affecting Apple GPU drivers via WebGL, specific to Apple M-Series silicon. This flaw could lead to memory corruption, enabling attackers to execute arbitrary code with elevated privileges, potentially compromising the entire system.
- CVE-2024-11699: Memory corruption vulnerabilities found in Firefox 133, Firefox ESR 128.5, and Thunderbird 128.5. These bugs pose a significant risk as they may allow attackers to execute unauthorized code, potentially leading to system compromise, privilege escalation, or data theft.
- CVE-2024-11703: A vulnerability allowing password access without proper PIN authentication on Android devices. This issue undermines basic security measures, granting unauthorized access to sensitive user credentials and potentially facilitating further attacks on accounts and systems relying on password protection.
MiCollab
WatchTowr researchers have identified a zero-day vulnerability enabling arbitrary file reads on Mitel’s MiCollab VoIP platform. Currently, the issue has no assigned CVE or patch. The zero-day was uncovered through path traversal and input manipulation techniques during investigations into two prior vulnerabilities: CVE-2024-35286, a SQL injection issue patched on May 23, and CVE-2024-41713, an authentication bypass issue resolved on October 9.
After notifying Mitel and waiting over 100 days, WatchTowr published details and a proof-of-concept (PoC) linking this zero-day to CVE-2024-41713. Organizations running any of the 16,000+ exposed MiCollab instances are advised to upgrade to MiCollab 9.8 SP2 (9.8.2.12), which addresses CVE-2024-41713 and mitigates the risk of arbitrary file reads.
Cisco
Cisco has released a security update for NX-OS to address a critical vulnerability, CVE-2024-20397, discovered by Google Cloud researchers. This vulnerability stems from insecure bootloader settings that allow attackers to bypass firmware image verification by executing specific commands, enabling the installation of unverified software. While no authentication is required to exploit this vulnerability, physical access to the device is necessary.
The issue affects over 100 device models, including the MDS 9000 series switches, Nexus 3000, Nexus 7000, Nexus 9000 (both in ACI mode and NX-OS standalone mode), and UCS 6400 and 6500.
Veeam
Veeam has released security updates to address several vulnerabilities, including a critical flaw in the Veeam Service Provider Console (VSPC). VSPC is a remotely managed platform for BaaS (Backup as a Service) and DRaaS (Disaster Recovery as a Service), designed to monitor the health and security of backups and manage Veeam-protected virtual assets.
The critical vulnerability, tracked as CVE-2024-42448, has a CVSS score of 9.9 out of 10. Discovered during internal testing, this flaw allows remote code execution (RCE) on a VSPC server machine from a management agent machine.
Additionally, Veeam addressed a high-severity vulnerability, CVE-2024-42449, which enables attackers to steal the NTLM hash of a VSPC server service account and use it to delete files on the server. Both vulnerabilities require the management agent to be authorized on the target server for exploitation.
The vulnerabilities affect VSPC version 8.1.0.21377 and all earlier versions, including builds 8 and 7. Unsupported versions are also likely vulnerable and should be considered at risk even if not explicitly tested. Veeam strongly urges service providers using supported versions of VSPC (7 and 8) to upgrade to the latest cumulative patch. For unsupported versions, upgrading to the most recent available version is essential.
Given the recent large-scale exploitation of Veeam vulnerabilities, immediate action is critical.
Zabbix
Zabbix has issued a warning about a critical vulnerability in its open-source enterprise network monitoring solution that could allow attackers to inject arbitrary SQL queries, compromising data and systems.
The vulnerability, tracked as CVE-2024-42327, has a CVSS score of 9.9 and exists in the CUser class, specifically in the addRelatedObjects function, which is invoked by the CUser.get function. It can be exploited by any user with API access, including non-administrative accounts with default or API-enabled roles. Qualys researchers note that exploitation could enable attackers to escalate privileges and take full control of vulnerable Zabbix servers, with over 83,000 exposed on the internet.
The vulnerability affects Zabbix versions 6.0.0.0–6.0.31, 6.4.0–6.4.16, and 7.0.0. Fixes are included in versions 6.0.32rc1, 6.4.17rc1, and 7.0.1rc1.
The patched releases also address:
- CVE-2024-36466 (CVSS 8.8): An authentication bypass flaw that could allow attackers to sign a fake zbx_session cookie and log in with administrator privileges.
- CVE-2024-36462: A resource consumption vulnerability that could enable a denial-of-service (DoS) attack.
While there is no indication these vulnerabilities are being actively exploited, users are strongly advised to update to the patched versions immediately to mitigate potential risks.
WordPress
Defiant has issued a warning about two critical vulnerabilities in the CleanTalk anti-spam plugin for WordPress, which could allow unauthenticated attackers to remotely execute arbitrary code, potentially impacting over 200,000 websites. These vulnerabilities, tracked as CVE-2024-10542 and CVE-2024-10781, both have a CVSS score of 9.8.
Both issues enable remote attackers to activate arbitrary plugins, including vulnerable ones that could facilitate remote code execution (RCE). CVE-2024-10542 is an authorization bypass flaw affecting the plugin’s remote call handling and installation functions. The vulnerability arises from token authorization, which can be bypassed due to weaknesses in verifying the source IP address and domain name. Attackers can spoof IP and DNS details to gain unauthorized access, allowing them to install, enable, disable, or uninstall plugins.
The second vulnerability, CVE-2024-10781, involves a separate method of bypassing token authorization. If the plugin lacks an API key configuration, attackers can authorize a token by matching an empty hash value. Exploiting this flaw allows attackers to install and activate arbitrary plugins, subsequently leveraging them for RCE.
CVE-2024-10542 was patched on November 1 with the release of version 6.44. However, this version remained vulnerable to CVE-2024-10781. A subsequent update, version 6.45, addressing both vulnerabilities, was released on November 14. Despite these fixes, WordPress data indicates that nearly half of all active plugin installations have not yet been updated.
Users are strongly urged to upgrade to version 6.45 immediately to protect their sites from potential exploitation.
7-Zip
The 7-Zip project has released a security update addressing a remote code execution vulnerability in its popular file archiver. Tracked as CVE-2024-11477 and assigned a CVSS score of 7.8, this vulnerability allows remote attackers to execute arbitrary code on affected 7-Zip installations. Exploitation requires interaction with the library, with attack vectors varying based on its implementation.
The vulnerability lies in the Zstandard decompression implementation and stems from insufficient validation of user-provided data, leading to an integer overflow before writing to memory. This flaw enables attackers to execute code within the context of the current process.
The issue was discovered by Nicholas Zubriski of Trend Micro Security Research and reported to the vendor on June 12, 2024. The fix is included in 7-Zip version 24.07, and users are advised to update immediately to mitigate the risk.
Linux
Qualys researchers have uncovered five decade-old local privilege escalation (LPE) vulnerabilities in the needrestart Linux utility, a critical tool for managing reboots in Ubuntu Linux. The vulnerabilities, tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, first appeared in needrestart version 0.8, released in April 2014, and were only recently patched in version 3.8. These flaws allow attackers with local access to a vulnerable Linux system to escalate their privileges to root without user interaction.
Key vulnerabilities include:
- CVE-2024-48990: Needrestart runs the Python interpreter with the PYTHONPATH environment variable extracted from running processes. If controlled by an attacker, this variable can inject a malicious shared library to execute arbitrary code as root during Python initialization.
- CVE-2024-48992: The Ruby interpreter used by needrestart processes the RUBYLIB environment variable, which an attacker can manipulate to execute arbitrary Ruby code as root, injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows attackers to replace a scanned Python interpreter binary with a malicious executable. With precise timing, the attacker can execute their code as root.
- CVE-2024-10224: The Perl ScanDeps module does not properly handle filenames provided by an attacker. Malicious filenames resembling shell commands (e.g., command|) can be used to execute arbitrary commands as root when opened.
- CVE-2024-11003: An insecure use of the eval() function in the Perl ScanDeps module can allow arbitrary code execution while processing input controlled by an attacker.
While local access is required to exploit these vulnerabilities, similar Linux root vulnerabilities, such as Loony Tunables and nf_tables, have been exploited in the past. These flaws pose a significant risk, particularly on critical systems where privilege escalation could have severe consequences.
Users are strongly advised to upgrade to needrestart version 3.8 or later, which includes patches for all identified vulnerabilities. Additionally, modifying needrestart.conf to disable interpreter scanning can further reduce exploitation risks. Given the critical nature of these flaws, immediate action is recommended to secure affected systems.
Citrix
Researchers at WatchTowr Labs have disclosed vulnerabilities in Citrix Virtual Apps and Desktops that allow unauthenticated remote code execution (RCE). These vulnerabilities exploit deserialization flaws in a session recording component used by Citrix administrators for auditing and troubleshooting virtual desktop sessions. The exploit leverages an exposed MSMQ instance with misconfigured permissions and a BinaryFormatter accessible from any host over HTTP to achieve RCE.
The vulnerabilities are tracked as:
- CVE-2024-8068: (CVSS 5.1) Privilege escalation granting access to the NetworkService account.
- CVE-2024-8069: (CVSS 5.1) Limited RCE with privileges to access the NetworkService account.
Exploitation requires sending an HTTP payload to a misconfigured Citrix endpoint handling session recording. Citrix claims that successful exploitation requires the attacker to be an authenticated user in the same Windows Active Directory domain and intranet as the session recording server. However, WatchTowr asserts the attack can be performed without authentication, contradicting Citrix’s assessment.
Citrix has released patches for these vulnerabilities but did so quietly, reportedly without notifying researchers. The vendor assigned them medium severity with a CVSS score of 5.1, despite WatchTowr and other experts describing the vulnerabilities as a “point-and-click full takeover.”
A proof-of-concept (PoC) exploit has been published on GitHub. The Shadowserver Foundation has already detected and is monitoring exploitation attempts, while SANS ISC reports active exploitation, suggesting the vulnerabilities are far more severe than Citrix’s rating implies. Citrix released patches only after PoCs surfaced and attackers began targeting the flaws.
Given the potential for complete system compromise, users are strongly advised to apply the patches immediately and review Citrix’s session recording configurations to mitigate further risks.
Apple
Apple has released emergency security updates to address two actively exploited zero-day vulnerabilities affecting Intel-based Mac systems. These critical vulnerabilities were identified in macOS components JavaScriptCore and WebKit and are tracked as CVE-2024-44308 and CVE-2024-44309, respectively.
- CVE-2024-44308: A flaw in JavaScriptCore that allows attackers to execute remote code via malicious web content. Apple resolved this issue by implementing improved validation checks.
- CVE-2024-44309: A vulnerability in WebKit that enables cross-site scripting (XSS) attacks by processing malicious web content. Apple addressed this with enhanced state management for cookie handling.
The vulnerabilities have been patched in macOS Sequoia 15.1.1. Since similar components are shared across Apple’s ecosystem, updates have also been issued for iOS 17.7.2 and iPadOS 17.7.2, iOS 18.1.1 and iPadOS 18.1.1, and visionOS 2.1.1.
These zero-days were discovered by Google’s Threat Analysis Group (TAG) and are believed to have been exploited by spyware developers and operators. While Apple has not provided detailed commentary, the practical risks of these vulnerabilities underline their urgency.
As of 2024, Apple has patched six zero-day vulnerabilities, a significant decrease compared to the 20 addressed in the previous year. Unless a major new threat actor or exploit campaign emerges, such as the notable “Operation Triangulation,” the current trend appears to indicate a reduced frequency of zero-day exploits.
Palo Alto
Palo Alto Networks has disclosed exploitable vulnerabilities in its firewalls, including two zero-days actively targeted in a campaign dubbed Operation Lunar Peek.
Key Vulnerabilities:
- CVE-2024-0012: A critical authentication bypass vulnerability in the web-based firewall management interface. This zero-day allows unauthorized attackers to gain administrative privileges without authentication, enabling them to perform administrative actions, alter configurations, and exploit other vulnerabilities, such as privilege escalation flaws.
- CVE-2024-9474: A medium-severity privilege escalation vulnerability that allows attackers with administrative access to elevate their privileges to root on the firewall.
The vulnerabilities have been exploited in attacks targeting a limited number of web-based management interfaces exposed externally through anonymous VPN services. Palo Alto confirmed that one of the exploits was initially posted on a hacker forum earlier this month. To mitigate risks, the company recommends restricting access to the management interface to trusted IP addresses. Despite this guidance, between 9,000 and 31,000 firewalls remain exposed online, depending on the scanning service.
Palo Alto has shared a list of IP addresses used in exploitation attempts and the hash of a PHP web shell payload installed on compromised devices. However, the company has not attributed the attacks to a specific threat actor.
Palo Alto has released updates addressing these vulnerabilities for PAN-OS versions 11.2, 11.1, 11.0, 10.2, and 10.1. Customers are urged to apply these patches immediately to secure their systems.
Palo Alto has provided IoCs, including IP addresses and the hash of the web shell used in the attacks, to assist organizations in identifying potential compromises.
VMware
VMware is warning customers about active exploitation of the critical zero-day vulnerability CVE-2024-38812 in vCenter Server, categorized by the vendor as “Hard-to-Fix.” The company has updated its VMSA-2024-0019 bulletin to confirm attacks targeting both CVE-2024-38812 and CVE-2024-38813 and urges customers to prioritize applying the available patches.
CVE-2024-38812, discovered during the Matrix Cup 2024 hacking competition, has a CVSS score of 9.8/10. It is a heap overflow in the distributed computing environment/remote procedure call protocol (DCERPC) implementation of vCenter Server. An attacker with network access to vCenter Server could exploit this vulnerability by sending a specially crafted network packet, potentially achieving remote code execution (RCE).
Patching Efforts:
VMware has been working on resolving this issue for months. While patches released on September 17, 2024, partially addressed the vulnerability, they did not fully mitigate its impact. The company has since released updated fixes:
- vCenter Server 8.0 U3b
- vCenter Server 7.0 U3s
- VMware Cloud Foundation 5.x (fixed in 8.0 U3b)
- VMware Cloud Foundation 4.x (fixed in 7.0 U3s)
Although VMware has not shared additional details about the exploits or indicators of compromise (IoCs), customers are strongly advised to apply the patches immediately to protect their systems from potential attacks.
Ivanti
Ivanti has released updates addressing over 50 vulnerabilities across several products, including Endpoint Manager, Avalanche, Connect Secure, Policy Secure, and Secure Access Client. Among these, eight are critical, with the most severe tracked as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 through CVE-2024-39712, and CVE-2024-11005 through CVE-2024-11007. These flaws involve argument and command injection, allowing authenticated attackers to execute remote code (RCE).
Key Updates and Fixes:
- Connect Secure and Policy Secure:
The critical vulnerabilities have been patched in Connect Secure version 22.7R2.3 and Policy Secure version 22.7R1.2, which also address eight high-severity and two moderate-severity bugs leading to elevation of privilege (EoP), denial of service (DoS), and RCE. - Secure Access Client:
This update includes fixes for five high-severity and two medium-severity vulnerabilities that could allow EoP, manipulation of sensitive configuration files, arbitrary folder creation, and DoS conditions. Secure Access Client version 22.7R4 resolves seven of these issues. - Endpoint Manager:
Endpoint Manager patches a significant number of vulnerabilities, including the critical CVE-2024-50330, which has a CVSS score of 9.8. Discovered by ZDI, this vulnerability could be remotely exploited without authentication for RCE. The Endpoint Manager 2024 November Security Update and 2022 SU6 November Security Update address 17 high-severity RCE vulnerabilities in addition to the 17 already mentioned. - Avalanche:
Ivanti has also patched six high-severity vulnerabilities in Avalanche, which could allow unauthenticated attackers to cause DoS conditions or read sensitive information in memory. Despite the severity, Ivanti has stated that it has no evidence of these vulnerabilities being exploited.
Ivanti urges users to apply the latest updates immediately to mitigate these risks, given the critical nature of the vulnerabilities and their potential for exploitation.
How To Efficiently Patch All of These Vulnerabilities And More
Want to learn about newly released updates as soon as they are available? With Action1, you can — as well as streamline the entire patch management process, from identifying missing updates to compliance reporting, across both Windows OS and third-party software.
