December patch Tuesday fixes one actively exploited zero-day vulnerability
Microsoft patched an actively exploited vulnerability in the CLFS component.
In total, 72 Microsoft vulnerabilities were fixed in the last Patch Tuesday update of 2024. One of those vulnerabilities is an actively exploited zero-day. The Cybersecurity and Infrastructure Security Agency (CISA) has also added that zero-day vulnerability to its catalog of actively exploited vulnerabilities.
So, let’s start with a closer look at that vulnerability. It is tracked as CVE-2024-49138 and has a CVSS score of 7.8 out of 10 and is classified as a Windows Common Log File System (CLFS) driver elevation of privilege (EoP) vulnerability. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.
CLFS is a Windows component that is designed to help applications and the operating system itself log important events and data in a reliable and efficient way. CLFS is implemented as a kernel-mode driver, that collects log records from applications, stores them in memory buffers, and then writes them to stable storage.
Due to the high-level driver permissions and the difficulty of validating all the different kinds of input, CLFS has proven to be a weak spot in Windows operating systems.
In the past five years, over 25 vulnerabilities in CLFS have been found. Last August, Microsoft announced the Microsoft Offensive Research & Security Engineering (MORSE) team worked to add a new verification step to parsing CLFS log files, which aimed to address a whole class of vulnerabilities all at once.
In the past, a vulnerability in CLFS tracked as CVE-2023-28252 was used by the Nokoyawa ransomware. By exploiting this vulnerability, the ransomware group altered the offset value that points to a specific CLFS structure in the computer’s memory. They replaced it with an offset that directed to a maliciously crafted structure. This way they gained kernel read/write privileges.
Other vendors
Adobe released security updates for several products:
- Adobe Experience Manager
- Adobe Acrobat and Reader
- Adobe Media Encoder
- Adobe Illustrator
- Adobe After Effects
- Adobe Animate
- Adobe InDesign
- Adobe PDFL SDK
- Adobe Connect
- Adobe Substance 3D Sampler
- Adobe Photoshop
- Adobe Substance 3D Modeler
- Adobe Bridge
- Adobe Premiere Pro
- Adobe Substance 3D Painter
- Adobe FrameMaker
Cisco released a security advisory for an actively exploited vulnerability in the bootloader of Cisco NX-OS Software
Google released the December 2024 Android Security Bulletin
OpenWRT published a security advisory for a critical vulnerability impacting its sysupgrade server
SAP released security updates for several products as part of December Patch Day