Akamai’s Perspective on December’s Patch Tuesday 2024
What’s the point of Advent calendars? Give us everything all at once and right now. And by everything, we mean CVEs. This month, there are 71 total CVEs across 32 different components. Of those CVEs, 17 are critical and one was seen in the wild.
In this blog post, we’ll assess how critical the vulnerabilities are, and how commonplace the affected applications and services are, to provide you with a realistic perspective on the bugs that were fixed. Be on the lookout for these insights in the days after every Patch Tuesday.
This is an ongoing report and we’ll add more information to it as our research progresses — stay tuned!
This month, we’re focusing on the following areas in which bugs were patched:
Windows Common Log File System Driver
The Common Log File System is an API in Windows that provides high-performance logging capabilities. To interact with it, developers and programs rely on the Clfsw32.dll DLL file, which is a user-mode component. Behind the scenes, however, the logic is implemented in a kernel driver — clfs.sys. The vulnerabilities that were patched this month are probably in this kernel driver.
This is worth noting because attackers might be able to use this legitimate driver as a privilege escalation technique even on a patched system, via a Bring Your Own Vulnerable Driver (BYOVD) attack.
There are three CVEs — all for local privilege escalation. Only one of them, CVE-2024-49138, was detected in the wild - CVE-2024-49138.
CVE number |
Effect |
|---|---|
Elevation of privilege |
|
Windows Lightweight Directory Access Protocol (LDAP)
The Windows Lightweight Directory Access Protocol (LDAP) is an open source protocol designed for connecting and querying directory services and databases. Active Directory’s domain controller has an LDAP server implementation to allow existing programs and servers that rely on LDAP to use the existing domain controller without requiring a separate server.
This month, there are four vulnerabilities in the LDAP service that affect unpatched domain controllers. Two are remote code execution (RCE) vulnerabilities and two are denial-of-service (DoS) vulnerabilities. None of the four require any authentication.
CVE number |
Effect |
|---|---|
Remote code execution |
|
Denial of service |
|
There is also another RCE vulnerability, CVE-2024-49124, attributed to the LDAP client. However, its notes refer to exploitation on the server side. It’s unclear whether it’s for the client or the server at this time.
We can’t patch our domain controller and risk downtime. Can the vulnerabilities be mitigated elsewhere?
Not really. Since the domain controller is integral to all parts of the domain, it is practically impossible to restrict access to it without compromising normal network operations. Even tracing the vulnerabilities might be difficult, since they don’t require authentication. Incident response teams can be on the lookout for short-lived LDAP sessions that don’t have a reply from the server. This might indicate an exploitation attempt.
In any case, ensure that the domain controllers are not open to the internet.
Windows Remote Desktop Services
Windows Remote Desktop is used for remote desktop connection between Windows machines, over the Remote Desktop Protocol (RDP). There are multiple vulnerabilities this month across different components of Windows Remote Desktop, so we’ll discuss them all together.
The main ones are, of course, the nine critical RCE vulnerabilities on the remote desktop server. An attacker “only” needs to connect to an RDP server, spam it with malformed packets, and win a race condition, which can then be leveraged for an RCE.
As RDP is very common in networks and can be used for lateral movement, we recommend creating policy rules that cover it. In our observations, 96% of networks had Windows RDP traffic, and 20% of networks had no restrictions on parts of that traffic. The silver lining here is that most CVEs refer specifically to servers with the Remote Desk Gateway role, despite being titled as affecting all Windows Remote Desktop services. Remote Desktop Gateways are less common, and in our observation only 36% of environments had those.
CVE number |
Effect |
|---|---|
Denial of service |
|
Remote code execution |
|
Remote code execution, client side |
Restricting RDP access to user machines, or only to pre-authorized servers (like jump boxes), can greatly reduce the risk presented by these vulnerabilities. We covered some quick wins regarding RDP in our segmentation blog post. Regardless of policy, we recommend you patch as soon as possible.
Microsoft Message Queuing (MSMQ)
The Microsoft Message Queuing (MSMQ) service is an optional feature in Windows that is used to deliver messages among different applications. Despite being optional, it is used behind the scenes by many enterprise applications for Windows, such as Microsoft Exchange Server. In our observations, we found the service installed in nearly 70% of environments, usually on more than one machine.
This month, there are two critical network RCE vulnerabilities, which can allow attackers to execute code remotely by sending a specifically crafted packet to the victim MSMQ server — no authentication required. There’s also another DoS vulnerability.
Since the MSMQ service is accessible over port 1801, but isn’t often accessed by very many clients (since it’s mostly used by the enterprise application itself), we recommend restricting arbitrary network access to that port and service. Try to segment the service using allowlist policies, enabling access only to the machines that actually need it. You can refer to our segmentation blog post, specifically to the application ringfencing and microsegmentation sections, for more information.
CVE number |
Effect |
|---|---|
Remote code execution |
|
Denial of service |
Windows Local Security Authority Subsystem Service (LSASS)
The Local Security Authority Subsystem Service, or LSASS, is a core process of the Windows operating system. It’s running in user mode, but as a protected process, and it is responsible for handling access and security — namely user logon, password verification, and security token management.
A common tactic used by attackers and red teamers was to dump the process’s memory to get the user passwords stored within. Microsoft put a stop to that by adding more and more security mechanisms to the process, such as making it a protected process and, recently, also using Hyper-V to isolate it from the regular user mode. It is that important.
As the process responsible for logons, it is also always listening on some network components, namely in the form of RPC servers. This month’s critical RCE, CVE-2024-49126, revolves around one of those components: A race condition can allow a remote attacker to execute arbitrary code on the process without having to authenticate.
Previously covered services
Many CVEs in this month’s Patch Tuesday are for systems that we’ve already covered in the past. If you’re interested in our analysis of, or general recommendations for, those services, we encourage you to look at our previous perspectives on Patch Tuesday blog posts.
Service |
CVE number |
Effect |
Required access |
|---|---|---|---|
Arbitrary code execution |
Network; user needs to open malicious file |
||
Elevation of privilege |
Network |
||
Information disclosure |
|||
Remote code execution |
Network |
||
Remote code execution |
Local; guest-to-host |
||
Elevation of privilege |
Local |
||
Elevation of privilege |
Local |
This summary provides an overview of our current understanding and our recommendations given the information available. Our review is ongoing and any information herein is subject to change. You can also visit us on X, formerly known as Twitter, for real-time updates.