Microsoft has released multiple patches for vulnerabilities covering a range of their products. These monthly releases are called “Patch Tuesday” and contain security fixes for Microsoft devices and software.
The CCB would like to point your attention to following vulnerabilities:
CVE-2024-49138: Windows Common Log File System Driver (0-Day, Actively exploited)
Elevation of Privileges Vulnerability. An attacker who successfully exploits this vulnerability could obtain SYSTEM privileges. It has been assigned a CVSSv3 score of 7.8 and is categorized as important. This vulnerability was actively exploited in the wild as a zero-day, although specific details about the exploitation remain unknown. Alongside CVE-2024-49138, Microsoft also addressed two other elevation of privilege (EoP) vulnerabilities in the CLFS driver: CVE-2024-49090 and CVE-2024-49088. Both vulnerabilities were assigned a CVSSv3 score of 7.8, rated as important, and assessed as “Exploitation More Likely.” Notably, this marks the ninth vulnerability in the Windows CLFS driver patched in 2024. Additionally, CVE-2024-49138 is the fifth actively exploited privilege escalation flaw in the CLFS driver since 2022. These types of privilege escalation vulnerabilities are often paired with code execution flaws to enable full system compromise. Such tactics are commonly seen in ransomware attacks and targeted phishing campaigns.
CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP)
Remote Code Execution Vulnerability. This vulnerability is the most critical one addressed by Microsoft, receiving a CVSS score of 9.8 and labeled as “Exploitation Less Likely”. An unauthenticated attacker who successfully exploits this vulnerability could execute arbitrary code within the context of the LDAP service by sending a specially crafted set of LDAP calls. According to Dustin Childs from the Zero Day Initiative (ZDI), attackers can use this flaw to compromise Domain Controllers through these crafted LDAP requests. In addition, Microsoft also patched another vulnerability, CVE-2024-49113, in Windows LDAP. This vulnerability was assigned a CVSS score of 7.5 and, like the previous one, is categorized as “Exploitation Less Likely.”
CVE-2024-49118 & CVE-2024-49122: Microsoft Message Queuing (MSMQ)
Remote Code Execution Vulnerabilities. CVE-2024-49118 and CVE-2024-49122 are Remote Code Execution (RCE) vulnerabilities in Microsoft Message Queuing (MSMQ), both assigned a CVSSv3 score of 8.1 and rated as critical. For a system to be vulnerable, the MSMQ service must be added and enabled. Successful exploitation of these vulnerabilities requires an attacker to trigger a race condition. Despite this, Microsoft classified CVE-2024-49122 as “Exploitation More Likely,” while CVE-2024-49118 was rated as “Exploitation Less Likely” due to the specific condition that the race must occur during the execution of a rare operation on the target system.
CVE-2024-49070: Microsoft SharePoint
Remote Code Execution Vulnerability. CVE-2024-49070 is a remote code execution (RCE) vulnerability in Microsoft SharePoint, assigned a CVSSv3 score of 7.4 and rated as important. To successfully exploit this vulnerability, an attacker must first prepare the target environment to increase the reliability of the exploit. Microsoft has assessed this vulnerability as “Exploitation More Likely.”
CVE-2024-49117: Windows Lightweight Directory Access Protocol (LDAP)
Remote Code Execution Vulnerability. This vulnerability has been assigned a CVSS score of 8.8 and is rated as critical by Microsoft. A successful exploitation could allow an attacker to carry out a cross-VM attack, potentially compromising multiple virtual machines and amplifying the attack’s impact beyond the initially targeted VM. Exploiting this vulnerability requires the attacker to be authenticated, but no admin or elevated privileges are necessary.
CVE-2024-49093: Windows Resilient File System (ReFS)
Elevation of Privilege Vulnerability. An attacker who successfully exploits this vulnerability could obtain SYSTEM privileges. Assigned a CVSSv3 score of 8.8 and rated as important This vulnerability requires the attacker to first log onto the system. Once logged in, the attacker could run a specially crafted application to exploit the vulnerability and gain control of the affected system. Microsoft has categorized this vulnerability as “Exploitation More Likely.”
CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132: Windows Remote Desktop Services
Remote Code Execution Vulnerabilities.
These remote code execution (RCE) vulnerabilities impact Windows Remote Desktop Services. All nine vulnerabilities are rated as critical, with CVSSv3 scores of 8.1. Exploiting them successfully is complex and requires the attacker to trigger a race condition. Microsoft categorized these vulnerabilities as exploitation less likely.
CVE-2024-49063: Microsoft/Muzic
Remote Code Execution Vulnerability. This vulnerability is part of a research project on AI-generated music and has received a CVSSv3 score of 8.4, rated as important. An attacker exploiting this vulnerability could achieve code execution by crafting a payload that executes during deserialization. Microsoft has classified this vulnerability as “Exploitation Less Likely.”