patch Tuesday header
,

December patch Tuesday fixes one actively exploited zero-day vulnerability

Microsoft patched an actively exploited vulnerability in the CLFS component.

In total, 72 Microsoft vulnerabilities were fixed in the last Patch Tuesday update of 2024. One of those vulnerabilities is an actively exploited zero-day. The Cybersecurity and Infrastructure Security Agency (CISA) has also added that zero-day vulnerability to its catalog of actively exploited vulnerabilities.

So, let’s start with a closer look at that vulnerability. It is tracked as CVE-2024-49138 and has a CVSS score of 7.8 out of 10 and is classified as a Windows Common Log File System (CLFS) driver elevation of privilege (EoP) vulnerability. An attacker who successfully exploits this vulnerability could gain SYSTEM privileges.

CLFS is a Windows component that is designed to help applications and the operating system itself log important events and data in a reliable and efficient way. CLFS is implemented as a kernel-mode driver, that collects log records from applications, stores them in memory buffers, and then writes them to stable storage.

Due to the high-level driver permissions and the difficulty of validating all the different kinds of input, CLFS has proven to be a weak spot in Windows operating systems.

In the past five years, over 25 vulnerabilities in CLFS have been found. Last August, Microsoft announced the Microsoft Offensive Research & Security Engineering (MORSE) team worked to add a new verification step to parsing CLFS log files, which aimed to address a whole class of vulnerabilities all at once.

In the past, a vulnerability in CLFS tracked as CVE-2023-28252 was used by the Nokoyawa ransomware. By exploiting this vulnerability, the ransomware group altered the offset value that points to a specific CLFS structure in the computer’s memory. They replaced it with an offset that directed to a maliciously crafted structure. This way they gained kernel read/write privileges.

Other vendors

Adobe released security updates for several products:

Cisco released a security advisory for an actively exploited vulnerability in the bootloader of Cisco NX-OS Software

Google released the December 2024 Android Security Bulletin

OpenWRT published a security advisory for a critical vulnerability impacting its sysupgrade server

SAP released security updates for several products as part of December Patch Day