Dangerous CLFS and LDAP flaws stand out on Patch Tuesday

Microsoft has issued fixes for 71 Common Vulnerabilities and Exposures (CVEs) to mark the final Patch Tuesday of 2025, with a solitary zero-day that enables privilege elevation through the Windows Common Log File System Driver stealing the limelight.

Assigned designation CVE-2024-49138 and credited to CrowdStrike’s Advanced Research Team, the flaw stems from a heap-based buffer overflow in which improper bounds checking lets an attacker overwrite memory in the heap.

It is considered relatively trivial to exploit by an attacker to execute arbitrary code and gain system-level privileges that could be used to execute deeper and more impactful attacks, such as ransomware. Microsoft said it had observed CVE-2024-49138 being exploited in the wild.

“The CLFS driver is a core Windows component used by applications to write transaction logs,” said Mike Walters, president and co-founder of patch management specialist Action1.

“This vulnerability enables unauthorised privilege elevation by manipulating the driver’s memory management, culminating in system-level access – the highest privilege in Windows,” he said. “Attackers gaining system privileges can perform actions such as disabling security protections, exfiltrating sensitive data, or installing persistent backdoors.”

Walters explained that any Windows system dating back to 2008 that uses the standard CLFS component is vulnerable to this flaw, making it a potential headache across enterprise environments if not addressed quickly.

“The vulnerability is confirmed to be exploited in the wild and some information about the vulnerability has been publicly disclosed, but that disclosure may not include code samples,” said Ivanti vice-president of security products Chris Goettl. “The CVE is rated Important by Microsoft and has a CVSSv3.1 score of 7.8. Risk-based prioritisation would rate this vulnerability as Critical, which makes the Windows OS update this month your top priority.”

Critical problems 

In a year that saw Microsoft push over 1,000 bug fixes across 12 months, the second-highest volume ever after 2020, as Dustin Childs of the Zero Day Initiative observed, December 2024 will stand out for a notably high volume of Critical vulnerabilities, 16 in total, and all, without exception, leading to remote code execution (RCE).

A total of nine of these vulnerabilities affect Windows Remote Desktop Services, while three are to be found in the Windows Lightweight Directory Access Protocol (LDAP), two in Windows Message Queuing (MSMQ), and one apiece in Windows Local Security Authority Subsystem Service (LSASS) and Windows Hyper-V.

Of these, it is CVE-2024-49112 in Windows LDAP that probably warrants the closest attention, carrying an extreme CVSS score of 9.8 and affecting all versions of Windows since Windows 7 and Server 2008 R2. Left unaddressed, it allows an unauthenticated attacker to achieve RCE on the underlying server.

LDAP is commonly seen on servers acting as Domain Controllers in a Windows network, and the feature needs to be exposed to other servers, and clients, in an environment for the domain to function.

Low attack complexity

Immersive Labs principal security engineer Rob Reeves explained: “Microsoft … has indicated that the attack complexity is low and authentication is not required. Furthermore, they advise that exposure of this service either via the internet or to untrusted networks should be stopped immediately.

“An attacker can make a series of crafted calls to the LDAP service and gain access within the context of that service, which will be running with System privileges,” said Reeves.

“Because of the Domain Controller status of the machine account, it is assessed this will instantly allow the attacker to … get access to all credential hashes within the domain. It is also assessed that an attacker will only need to gain low privileged access to a Windows host within a domain or a foothold within the network in order to exploit this service – gaining complete control over the domain.”

Reeves told Computer Weekly that threat actors, particularly ransomware gangs, will be keenly trying to develop exploits for this flaw in the coming days, because taking complete control of a Domain Controller in an Active Directory environment can get them access to every Windows machine on that domain.

“Environments which make use of Windows networks using Domain Controllers should patch this vulnerability as a matter of urgency and ensure that Domain Controllers are actively monitored for signs of exploitation,” he warned.

And finally

Finally, one little-regarded bug stands out this month: a flaw in Microsoft Muzic, tracked as CVE-2024-49063.

“The Microsoft Muzic AI project is an interesting one,” observed Ivanti’s Goettl. “CVE-2024-49063 is a remote code execution vulnerability in Microsoft Muzic. To resolve this, CVE developers would need to take the latest build from GitHub to update their implementation.”

The vulnerability stems from deserialisation of untrusted data, leading to remote code execution if an attacker can create a malicious payload to execute.

For those unfamiliar with the project, Microsoft Muzic is an ongoing research project looking at understanding and generating music using artificial intelligence. Some of the project’s features include automatic lyric transcription, song-writing and lyric generation, accompaniment generation, and singing voice synthesis.

Source

Leave a Comment

Shopping Cart
Shopping cart0
There are no products in the cart!
Continue shopping
0
Scroll to Top