Report Name: Microsoft Patch Tuesday, December 2024
Generated: 2024-12-11 01:22:53

Product Name	Prevalence	U	C	H	M	L	A	Comment
Windows Kernel	0.9				1		1	Windows Kernel
Chromium	0.8			2	8		10	Chromium is a free and open-source web browser project, mainly developed and maintained by Google
Microsoft Edge	0.8				3		3	Web browser
Microsoft Office	0.8				3		3	Microsoft Office is a suite of applications designed to help with productivity and completing common tasks on a computer
Windows Domain Name Service	0.8				1		1	Windows component
Windows Cloud Files Mini Filter Driver	0.8				1		1	Windows component
Windows Common Log File System Driver	0.8			1	2		3	Common Log File System is a general-purpose logging subsystem that is accessible to both kernel-mode as well as user-mode applications for building high-performance transaction logs
Windows File Explorer	0.8				1		1	Windows component
Windows IP Routing Management Snapin	0.8			1			1	Windows component
Windows Kernel-Mode Driver	0.8				1		1	Windows component
Windows Lightweight Directory Access Protocol (LDAP)	0.8			2	2		4	Windows component
Windows Local Security Authority Subsystem Service (LSASS)	0.8			1			1	Windows component
Windows Mobile Broadband Driver	0.8				7		7	Windows component
Windows PrintWorkflowUserSvc	0.8				2		2	Windows component
Windows Remote Desktop Client	0.8			1			1	Remote Desktop Protocol Client
Windows Remote Desktop Gateway (RD Gateway)	0.8				1		1	Windows component
Windows Remote Desktop Services	0.8			9			9	Remote Desktop Services, known as Terminal Services in Windows Server 2008 and earlier, is one of the components of Microsoft Windows that allow a user to initiate and control an interactive session on a remote computer or virtual machine over a network connection
Windows Remote Desktop Services Denial of Service Vulnerability	0.8				1		1	Windows component
Windows Resilient File System (ReFS)	0.8				1		1	Windows component
Windows Routing and Remote Access Service (RRAS)	0.8			5	1		6	Windows component
Windows Task Scheduler	0.8				1		1	Windows component
Windows Virtualization-Based Security (VBS) Enclave	0.8				1		1	Windows component
Windows Wireless Wide Area Network Service (WwanSvc)	0.8				3		3	Windows component
Microsoft SharePoint	0.7				4		4	Microsoft SharePoint
System Center Operations Manager	0.7				1		1	System Center Operations Manager
Microsoft Access	0.6				1		1	MS Office product
Microsoft Excel	0.6				1		1	MS Office product
Windows Hyper-V	0.6				1		1	Hardware virtualization component of the client editions of Windows NT
Azure Stack HCI	0.5				1		1	Azure Stack HCI
Input Method Editor (IME)	0.5				1		1	Input Method Editor (IME)
Lightweight Directory Access Protocol (LDAP) Client	0.5				1		1	Lightweight Directory Access Protocol (LDAP) Client
Microsoft Copilot Studio	0.5				1		1	Copilot Studio is an end-to-end conversational AI platform that empowers you to create agents using natural language or a graphical interface
Microsoft Defender for Endpoint on Android	0.5				1		1	Microsoft Defender for Endpoint on Android
Microsoft Dynamics 365 Sales	0.5				1		1	Microsoft Dynamics 365 Sales
Microsoft Message Queuing (MSMQ)	0.5				3		3	Microsoft Message Queuing (MSMQ)
Microsoft Partner Network	0.5			1			1	The Microsoft AI Cloud Partner Program gives you the tools to create and market innovative Microsoft Cloud and AI solutions
Microsoft/Muzic	0.5				1		1	Microsoft/Muzic
Wireless Wide Area Network Service (WwanSvc)	0.5				5		5	Wireless Wide Area Network Service (WwanSvc)
WmsRepair Service	0.5				1		1	WmsRepair Service
Azure	0.4				1		1	Azure

Vulnerability Type	Criticality	U	C	H	M	L	A
Remote Code Execution	1.0			19	12		31
Authentication Bypass	0.98				1		1
Security Feature Bypass	0.9			2	2		4
Elevation of Privilege	0.85			2	28		30
Information Disclosure	0.83				8		8
Cross Site Scripting	0.8				2		2
Denial of Service	0.7				5		5
Memory Corruption	0.5				4		4
Spoofing	0.4				4		4

Source	U	C	H	M	L	A
MS PT Extended			3	15		18
Qualys			13	9		22
Tenable			10	9		19
Rapid7			4	1		5
ZDI			2	2		4

Urgent (0)

Critical (0)

High (23)

1. Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49138) - High [594]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: CVE-2024-49138: Windows Common Log File System Driver Elevation of Privilege Vulnerability The Common Log File System (CLFS) is a general-purpose logging service used by software clients running in user or kernel mode. CLFS can be used for data management, database systems, messaging, Online Transactional Processing (OLTP) systems, and other kinds of transactional systems. Upon successful exploitation, an attacker could gain SYSTEM privileges. CISA added the CVE-2024-49138 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 31, 2024.

Tenable: Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138)

Tenable: CVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

Tenable: CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

Tenable: In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.

Rapid7: There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.

ZDI: CVE-2024-49138 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This bug is listed as publicly known and under active attack, but Microsoft provides no information regarding where it was disclosed or how widespread the attacks may be. Since it is a privilege escalation, it is likely being paired with a code execution bug to take over a system. These tactics are often seen in ransomware attacks and in targeted phishing campaigns.

2. Elevation of Privilege - Microsoft Partner Network (CVE-2024-49035) - High [568]

Description: Partner.Microsoft.Com Elevation of Privilege Vulnerability. An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.

MS PT Extended: CVE-2024-49035 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

3. Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112) - High [430]

Description: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Qualys: CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability An unauthenticated attacker may exploit the vulnerability by sending a specially crafted set of LDAP calls. Upon successful exploitation an attacker may execute arbitrary code within the context of the LDAP service.

Qualys: Mitigative controls for CVE-2024-49112 Microsoft suggests that ensuring domain controllers are not configured to access the internet or deny RPC inbound traffic from untrusted networks. Example commands that customers can run on domain controllers are: Block All Outbound: netsh advfirewall firewall add rule name="Block All Outbound" dir=out action=block Block RPC Inbound: netsh advfirewall firewall add rule name="Block RPC Inbound" dir=in action=block protocol=TCP localport=135

Qualys: CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability This vulnerability has a CVSS: 3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 1514 Status of the ‘Restrictions for Unauthenticated RPC clients’ setting 8446 Status of RPC Endpoint Mapper Service 1513 Status of the ‘RPC Endpoint Mapper Client Authentication’ setting 8236 Configure ‘Network Security:Restrict NTLM: Incoming NTLM traffic’ 8158 Status of the ‘Windows Firewall: Outbound connections (Domain)’ setting 8159 Status of the ‘Windows Firewall: Outbound connections (Private)’ setting 8164 Status of the ‘Windows Firewall: Outbound connections (Public)’ setting The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [1514,8446,1513,8236,8158,8159,8164] The next Patch Tuesday falls on January 14, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Rapid7: A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.

ZDI: CVE-2024-49112 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This is the highest severity bug in this month’s release with a CVSS score of 9.8. It allows remote, unauthenticated attackers to exploit affected Domain Controllers by sending a specially crafted set of LDAP calls. Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM. Microsoft provides some… interesting mitigation advice. They recommend disconnecting Domain Controllers from the internet. While that would stop this attack, I’m not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly.

4. Remote Code Execution - Windows IP Routing Management Snapin (CVE-2024-49080) - High [419]

Description: Windows IP Routing Management Snapin Remote Code Execution Vulnerability

5. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49085) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

6. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49086) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

7. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49102) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

8. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49104) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

9. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49125) - High [419]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

10. Security Feature Bypass - Chromium (CVE-2024-11115) - High [413]

Description: Chromium: CVE-2024-11115 Insufficient policy enforcement in Navigation. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-11115 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

11. Remote Code Execution - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49127) - High [407]

Description: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

Qualys: CVE-2024-49127: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability An unauthenticated attacker may send a specially crafted request to a vulnerable server. Successful exploitation of the vulnerability may result in remote code execution in the context of the SYSTEM account.

12. Remote Code Execution - Windows Local Security Authority Subsystem Service (LSASS) (CVE-2024-49126) - High [407]

Description: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability

Qualys: CVE-2024-49126: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. An unauthenticated attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may result in remote code execution in the context of the server’s account through a network call.

Rapid7: Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.

13. Remote Code Execution - Windows Remote Desktop Client (CVE-2024-49105) - High [407]

Description: Remote Desktop Client Remote Code Execution Vulnerability

14. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49106) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

Rapid7: All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.

15. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49108) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

16. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49115) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

17. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49116) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

18. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49119) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

19. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49120) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

20. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49123) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

21. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49128) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

22. Remote Code Execution - Windows Remote Desktop Services (CVE-2024-49132) - High [407]

Description: Windows Remote Desktop Services Remote Code Execution Vulnerability

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

23. Security Feature Bypass - Chromium (CVE-2024-11114) - High [401]

Description: Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-11114 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Medium (66)

24. Remote Code Execution - Windows Domain Name Service (CVE-2024-49091) - Medium [395]

Description: Windows Domain Name Service Remote Code Execution Vulnerability

25. Remote Code Execution - Windows Routing and Remote Access Service (RRAS) (CVE-2024-49089) - Medium [395]

Description: Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability

26. Elevation of Privilege - Windows Resilient File System (ReFS) (CVE-2024-49093) - Medium [392]

Description: Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

27. Security Feature Bypass - Chromium (CVE-2024-11110) - Medium [389]

Description: Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High)

MS PT Extended: CVE-2024-11110 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

28. Elevation of Privilege - Windows Kernel (CVE-2024-49084) - Medium [385]

Description: Windows Kernel Elevation of Privilege Vulnerability

29. Remote Code Execution - Windows Hyper-V (CVE-2024-49117) - Medium [385]

Description: Windows Hyper-V Remote Code Execution Vulnerability

Qualys: CVE-2024-49117: Windows Hyper-V Remote Code Execution Vulnerability Windows Hyper-V is a Microsoft virtualization technology that allows users to create and run Virtual Machines (VMs) on a physical host. An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources on the VM to exploit the vulnerability. Upon successful exploitation, an attacker may execute a cross-VM attack, compromising multiple virtual machines and expanding the attack’s impact beyond the initially targeted VM.

Rapid7: CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.

ZDI: CVE-2024-49117 - Windows Hyper-V Remote Code Execution Vulnerability. This Critical-rated bug allows someone on a guest VM to execute code on the underlying host OS. They could also perform a cross-VM attack. The good news here is that the attacker does need to be authenticated. The bad news is that the attacker only requires basic authentication – nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you’ll definitely want to get this patched quickly.

30. Remote Code Execution - Microsoft Office (CVE-2024-49065) - Medium [383]

Description: Microsoft Office Remote Code Execution Vulnerability

31. Elevation of Privilege - Microsoft Office (CVE-2024-43600) - Medium [380]

Description: Microsoft Office Elevation of Privilege Vulnerability

32. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2024-49114) - Medium [380]

Description: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

33. Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49088) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

34. Elevation of Privilege - Windows Common Log File System Driver (CVE-2024-49090) - Medium [380]

Description: Windows Common Log File System Driver Elevation of Privilege Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

35. Elevation of Privilege - Windows Kernel-Mode Driver (CVE-2024-49074) - Medium [380]

Description: Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

36. Elevation of Privilege - Windows Task Scheduler (CVE-2024-49072) - Medium [380]

Description: Windows Task Scheduler Elevation of Privilege Vulnerability

37. Elevation of Privilege - Windows Virtualization-Based Security (VBS) Enclave (CVE-2024-49076) - Medium [380]

Description: Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability

38. Remote Code Execution - Microsoft SharePoint (CVE-2024-49070) - Medium [378]

Description: Microsoft SharePoint Remote Code Execution Vulnerability

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2024-49070 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

39. Remote Code Execution - Microsoft Access (CVE-2024-49142) - Medium [373]

Description: Microsoft Access Remote Code Execution Vulnerability

40. Remote Code Execution - Microsoft Excel (CVE-2024-49069) - Medium [373]

Description: Microsoft Excel Remote Code Execution Vulnerability

41. Elevation of Privilege - Microsoft Office (CVE-2024-49059) - Medium [368]

Description: Microsoft Office Elevation of Privilege Vulnerability

42. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49073) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

43. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49077) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

44. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49078) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

45. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49083) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

46. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49092) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

47. Elevation of Privilege - Windows Mobile Broadband Driver (CVE-2024-49110) - Medium [368]

Description: Windows Mobile Broadband Driver Elevation of Privilege Vulnerability

48. Elevation of Privilege - Windows PrintWorkflowUserSvc (CVE-2024-49095) - Medium [368]

Description: Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability

49. Elevation of Privilege - Windows PrintWorkflowUserSvc (CVE-2024-49097) - Medium [368]

Description: Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability

50. Information Disclosure - Microsoft Edge (CVE-2024-49025) - Medium [364]

Description: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability

MS PT Extended: CVE-2024-49025 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

51. Information Disclosure - Windows File Explorer (CVE-2024-49082) - Medium [364]

Description: Windows File Explorer Information Disclosure Vulnerability

52. Elevation of Privilege - Microsoft SharePoint (CVE-2024-49068) - Medium [363]

Description: Microsoft SharePoint Elevation of Privilege Vulnerability

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

53. Remote Code Execution - Input Method Editor (IME) (CVE-2024-49079) - Medium [357]

Description: Input Method Editor (IME) Remote Code Execution Vulnerability

54. Remote Code Execution - Lightweight Directory Access Protocol (LDAP) Client (CVE-2024-49124) - Medium [357]

Description: Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability

Qualys: CVE-2024-49124: Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. The LDAP directory service is based on a client-server model that enables access to an existing directory. LDAP stores data in the directory and authenticates users to access the directory. An unauthenticated attacker must win a race condition and send a specially crafted request to a vulnerable server to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute code in the context of the SYSTEM account.

55. Remote Code Execution - Microsoft Message Queuing (MSMQ) (CVE-2024-49118) - Medium [357]

Description: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Qualys: CVE-2024-49122 & CVE-2024-49118: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). To exploit this vulnerability, an attacker must send a malicious MSMQ packet to an MSMQ server. On successful exploitation, an attacker may perform remote code execution on the server side.

Tenable: CVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Tenable: CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

Tenable: CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

56. Remote Code Execution - Microsoft Message Queuing (MSMQ) (CVE-2024-49122) - Medium [357]

Description: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Qualys: CVE-2024-49122 & CVE-2024-49118: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). To exploit this vulnerability, an attacker must send a malicious MSMQ packet to an MSMQ server. On successful exploitation, an attacker may perform remote code execution on the server side.

Tenable: CVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Tenable: CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

Tenable: CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

57. Remote Code Execution - Microsoft/Muzic (CVE-2024-49063) - Medium [357]

Description: Microsoft/Muzic Remote Code Execution Vulnerability

ZDI: CVE-2024-49063 - Microsoft/Muzic Remote Code Execution Vulnerability. This bug is interesting for what it affects as much as what it could allow. If you aren’t familiar with it (I wasn’t), “Muzic is a research project on AI music that empowers music understanding and generation with deep learning and artificial intelligence.” It’s also pronounced [ˈmjuːzeik] for some reason. We’ve been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities. That’s what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat.

58. Elevation of Privilege - Azure Stack HCI (CVE-2024-49060) - Medium [354]

Description: Azure Stack HCI Elevation of Privilege Vulnerability

MS PT Extended: CVE-2024-49060 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

59. Elevation of Privilege - Microsoft Copilot Studio (CVE-2024-49038) - Medium [354]

Description: Microsoft Copilot Studio Elevation Of Privilege Vulnerability. Improper neutralization of input during web page generation ('Cross-site Scripting') in Copilot Studio by an unauthorized attacker leads to elevation of privilege over a network.

MS PT Extended: CVE-2024-49038 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

60. Denial of Service - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49113) - Medium [353]

Description: Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

61. Denial of Service - Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49121) - Medium [353]

Description: Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

62. Denial of Service - Windows Remote Desktop Gateway (RD Gateway) (CVE-2024-49129) - Medium [353]

Description: Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability

63. Denial of Service - Windows Remote Desktop Services Denial of Service Vulnerability (CVE-2024-49075) - Medium [353]

Description: Windows Remote Desktop Services Denial of Service Vulnerability

Tenable: In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

64. Security Feature Bypass - Chromium (CVE-2024-11117) - Medium [353]

Description: Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low)

MS PT Extended: CVE-2024-11117 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

65. Elevation of Privilege - System Center Operations Manager (CVE-2024-43594) - Medium [351]

Description: System Center Operations Manager Elevation of Privilege Vulnerability

66. Authentication Bypass - Azure (CVE-2024-49052) - Medium [348]

Description: Missing authentication for critical function in Microsoft Azure PolicyWatch allows an unauthorized attacker to elevate privileges over a network.

MS PT Extended: CVE-2024-49052 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

67. Information Disclosure - Microsoft SharePoint (CVE-2024-49062) - Medium [348]

Description: Microsoft SharePoint Information Disclosure Vulnerability

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

68. Information Disclosure - Microsoft SharePoint (CVE-2024-49064) - Medium [348]

Description: Microsoft SharePoint Information Disclosure Vulnerability

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

69. Information Disclosure - Windows Mobile Broadband Driver (CVE-2024-49087) - Medium [341]

Description: Windows Mobile Broadband Driver Information Disclosure Vulnerability

70. Memory Corruption - Chromium (CVE-2024-11113) - Medium [341]

Description: Chromium: CVE-2024-11113 Use after free in Accessibility. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-11113 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

71. Memory Corruption - Chromium (CVE-2024-11395) - Medium [341]

Description: Chromium: CVE-2024-11395 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-11395 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

72. Memory Corruption - Chromium (CVE-2024-12053) - Medium [341]

Description: Chromium: CVE-2024-12053 Type Confusion in V8. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-12053 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

73. Cross Site Scripting - Chromium (CVE-2024-11111) - Medium [335]

Description: Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-11111 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

74. Cross Site Scripting - Chromium (CVE-2024-11116) - Medium [335]

Description: Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)

MS PT Extended: CVE-2024-11116 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

75. Information Disclosure - Windows Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49098) - Medium [329]

Description: Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability

76. Information Disclosure - Windows Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49099) - Medium [329]

Description: Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability

77. Information Disclosure - Windows Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49103) - Medium [329]

Description: Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability

78. Memory Corruption - Chromium (CVE-2024-11112) - Medium [329]

Description: Chromium: CVE-2024-11112 Use after free in Media. This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

MS PT Extended: CVE-2024-11112 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

79. Elevation of Privilege - Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49081) - Medium [318]

Description: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

80. Elevation of Privilege - Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49094) - Medium [318]

Description: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

81. Elevation of Privilege - Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49101) - Medium [318]

Description: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

82. Elevation of Privilege - Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49109) - Medium [318]

Description: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

83. Elevation of Privilege - Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49111) - Medium [318]

Description: Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability

84. Elevation of Privilege - WmsRepair Service (CVE-2024-49107) - Medium [318]

Description: WmsRepair Service Elevation of Privilege Vulnerability

85. Denial of Service - Microsoft Message Queuing (MSMQ) (CVE-2024-49096) - Medium [303]

Description: Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability

86. Spoofing - Microsoft Edge (CVE-2024-49041) - Medium [264]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2024-49041 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

87. Spoofing - Microsoft Edge (CVE-2024-49054) - Medium [264]

Description: Microsoft Edge (Chromium-based) Spoofing Vulnerability

MS PT Extended: CVE-2024-49054 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

88. Spoofing - Microsoft Dynamics 365 Sales (CVE-2024-49053) - Medium [261]

Description: Microsoft Dynamics 365 Sales Spoofing Vulnerability

MS PT Extended: CVE-2024-49053 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

89. Spoofing - Microsoft Defender for Endpoint on Android (CVE-2024-49057) - Medium [250]

Description: Microsoft Defender for Endpoint on Android Spoofing Vulnerability

Low (0)

Exploitation in the wild detected (2)

Elevation of Privilege (2)

• Windows Common Log File System Driver (CVE-2024-49138)

Qualys: CVE-2024-49138: Windows Common Log File System Driver Elevation of Privilege Vulnerability The Common Log File System (CLFS) is a general-purpose logging service used by software clients running in user or kernel mode. CLFS can be used for data management, database systems, messaging, Online Transactional Processing (OLTP) systems, and other kinds of transactional systems. Upon successful exploitation, an attacker could gain SYSTEM privileges. CISA added the CVE-2024-49138 to its Known Exploited Vulnerabilities Catalog and requested users to patch it before December 31, 2024.

Tenable: Microsoft’s December 2024 Patch Tuesday Addresses 70 CVEs (CVE-2024-49138)

Tenable: CVE-2024-49138 | Windows Common Log File System Driver Elevation of Privilege Vulnerability

Tenable: CVE-2024-49138 is an EoP vulnerability in the Windows Common Log File System (CLFS) Driver. It was assigned a CVSSv3 score of 7.8 and is rated as important. It was exploited in the wild as a zero-day, though no details about the in-the-wild exploitation were known at the time this blog post was published.

Tenable: In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

Rapid7: This month’s zero-day vulnerability is CVE-2024-49138, an elevation of privilege vulnerability in the Windows Common Log File System (CLFS) driver, a general-purpose Windows logging service that can be used by software clients running in user-mode or kernel-mode. Exploitation leads to SYSTEM privileges, and if this all sounds familiar, it should.

Rapid7: There have been a series of zero-day elevation of privilege vulnerabilities in CLFS over the past few years. Past offenders are CVE-2022-24521, CVE-2023-23376, CVE-2022-37969, and CVE-2023-28252; today’s addition of CVE-2024-49138 is the first CLFS zero-day vulnerability which Microsoft has published in 2024. Although the advisory doesn’t provide much detail on the means of exploitation, the weakness is CWE-122: Heap-based Buffer Overflow, which most commonly leads to crashes/denial of service, but can also lead to code execution.

ZDI: CVE-2024-49138 - Windows Common Log File System Driver Elevation of Privilege Vulnerability. This bug is listed as publicly known and under active attack, but Microsoft provides no information regarding where it was disclosed or how widespread the attacks may be. Since it is a privilege escalation, it is likely being paired with a code execution bug to take over a system. These tactics are often seen in ransomware attacks and in targeted phishing campaigns.

• Microsoft Partner Network (CVE-2024-49035)

MS PT Extended: CVE-2024-49035 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (87)

Remote Code Execution (31)

• Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49112, CVE-2024-49127)

Qualys: CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability An unauthenticated attacker may exploit the vulnerability by sending a specially crafted set of LDAP calls. Upon successful exploitation an attacker may execute arbitrary code within the context of the LDAP service.

Qualys: CVE-2024-49127: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability An unauthenticated attacker may send a specially crafted request to a vulnerable server. Successful exploitation of the vulnerability may result in remote code execution in the context of the SYSTEM account.

Qualys: Mitigative controls for CVE-2024-49112 Microsoft suggests that ensuring domain controllers are not configured to access the internet or deny RPC inbound traffic from untrusted networks. Example commands that customers can run on domain controllers are: Block All Outbound: netsh advfirewall firewall add rule name="Block All Outbound" dir=out action=block Block RPC Inbound: netsh advfirewall firewall add rule name="Block RPC Inbound" dir=in action=block protocol=TCP localport=135

Qualys: CVE-2024-49112: Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability This vulnerability has a CVSS: 3.1 9.8 / 8.5 Policy Compliance Control IDs (CIDs): 1514 Status of the ‘Restrictions for Unauthenticated RPC clients’ setting 8446 Status of RPC Endpoint Mapper Service 1513 Status of the ‘RPC Endpoint Mapper Client Authentication’ setting 8236 Configure ‘Network Security:Restrict NTLM: Incoming NTLM traffic’ 8158 Status of the ‘Windows Firewall: Outbound connections (Domain)’ setting 8159 Status of the ‘Windows Firewall: Outbound connections (Private)’ setting 8164 Status of the ‘Windows Firewall: Outbound connections (Public)’ setting The following QQL will return a posture assessment for the CIDs for this Patch Tuesday: control.id: [1514,8446,1513,8236,8158,8159,8164] The next Patch Tuesday falls on January 14, and we will be back with details and patch analysis. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to ‘This Month in Vulnerabilities and Patch’s webinar.’

Rapid7: A trio of Windows LDAP critical RCE vulnerabilities receive patches this month, including CVE-2024-49112, which has a CVSSv3 base score of 9.8, which is the highest of any of the vulnerabilities which Microsoft has published today. Exploitation is via a specially crafted set of LDAP calls, and leads to code execution within the context of the LDAP service; although the advisory doesn’t specify, the LDAP service runs in a SYSTEM context. Microsoft advises defenders who still permit domain controllers to receive inbound RPC calls from untrusted networks or to access the internet to stop doing that.

ZDI: CVE-2024-49112 - Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability. This is the highest severity bug in this month’s release with a CVSS score of 9.8. It allows remote, unauthenticated attackers to exploit affected Domain Controllers by sending a specially crafted set of LDAP calls. Code execution occurs at the level of the LDAP service, which is elevated, but not SYSTEM. Microsoft provides some… interesting mitigation advice. They recommend disconnecting Domain Controllers from the internet. While that would stop this attack, I’m not sure how practical that would be for most enterprises. I recommend testing and deploying the patch quickly.

• Windows IP Routing Management Snapin (CVE-2024-49080)
• Windows Routing and Remote Access Service (RRAS) (CVE-2024-49085, CVE-2024-49086, CVE-2024-49089, CVE-2024-49102, CVE-2024-49104, CVE-2024-49125)
• Windows Local Security Authority Subsystem Service (LSASS) (CVE-2024-49126)

Qualys: CVE-2024-49126: Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability Local Security Authority Subsystem Service (LSASS) is a process in Microsoft Windows operating systems responsible for enforcing the security policy on the system. It verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens. An unauthenticated attacker must win a race condition to exploit the vulnerability. Successful exploitation of the vulnerability may result in remote code execution in the context of the server’s account through a network call.

Rapid7: Another potential cause for concern this month: CVE-2024-49126 is a critical RCE in the Local Security Authority Subsystem Service (LSASS). Exploitation could potentially be carried out remotely, and the attacker needs no privileges, nor does the user need to perform any action; the only silver lining is that an attacker must win a race condition. Although the advisory says that code execution would be in the context of the server’s account, it might be safest to assume that code execution would be in a SYSTEM context.

• Windows Remote Desktop Client (CVE-2024-49105)
• Windows Remote Desktop Services (CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, CVE-2024-49132)

Qualys: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128, & CVE-2024-49132: Windows Remote Desktop Services Remote Code Execution Vulnerability Windows Remote Desktop Services (RDS) licensing, also known as Remote Desktop Protocol (RDP) licensing, is a Windows component allowing users to control a remote computer over a network connection. RDS licensing is important when setting up RDS environments, and the Remote Desktop License Server is a critical element of this process. An attacker may exploit the vulnerability by connecting to a system with the Remote Desktop Gateway role. An attacker could trigger the race condition to create a use-after-free scenario and perform remote code execution.

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 | Windows Remote Desktop Services Remote Code Execution Vulnerability

Tenable: CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49116, CVE-2024-49119, CVE-2024-49120, CVE-2024-49123, CVE-2024-49128 and CVE-2024-49132 are RCE vulnerabilities affecting Windows Remote Desktop Services. All nine of these vulnerabilities were rated as critical and received CVSSv3 scores of 8.1. Successful exploitation is complex and requires an attacker to trigger a race condition in order to “create a use-after-free scenario” which could lead to arbitrary code execution. With a high complexity for exploitation, Microsoft assessed these vulnerabilities as “Exploitation Less Likely.”

Rapid7: All eight critical RCE vulnerabilities in Remote Desktop Services published today (e.g. CVE-2024-49106) share a number of similarities: they have identical CVSS vectors, exploitation requires that an attacker win a race condition, and the same research group is credited in each case.

• Windows Domain Name Service (CVE-2024-49091)
• Windows Hyper-V (CVE-2024-49117)

Qualys: CVE-2024-49117: Windows Hyper-V Remote Code Execution Vulnerability Windows Hyper-V is a Microsoft virtualization technology that allows users to create and run Virtual Machines (VMs) on a physical host. An authenticated attacker on a guest VM must send specially crafted file operation requests to hardware resources on the VM to exploit the vulnerability. Upon successful exploitation, an attacker may execute a cross-VM attack, compromising multiple virtual machines and expanding the attack’s impact beyond the initially targeted VM.

Rapid7: CVE-2024-49117 describes a container escape for Hyper-V; exploitation requires that the attacker make specially crafted file operation requests on the virtual machine (VM) to hardware resources on the VM, which could result in remote code execution on the hypervisor. The FAQ on the advisory sets out that no special privileges are required in the context of the VM, so any level of access is enough to break free from the VM. We also learn that the container escape could be lateral, where an attacker moves from one VM to another, rather than to the hypervisor.

ZDI: CVE-2024-49117 - Windows Hyper-V Remote Code Execution Vulnerability. This Critical-rated bug allows someone on a guest VM to execute code on the underlying host OS. They could also perform a cross-VM attack. The good news here is that the attacker does need to be authenticated. The bad news is that the attacker only requires basic authentication – nothing elevated. If you are running Hyper-V or have hosts on a Hyper-V server, you’ll definitely want to get this patched quickly.

• Microsoft Office (CVE-2024-49065)
• Microsoft SharePoint (CVE-2024-49070)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: CVE-2024-49070 | Microsoft SharePoint Remote Code Execution Vulnerability

Tenable: CVE-2024-49070 is a RCE vulnerability in Microsoft SharePoint. It was assigned a CVSSv3 score of 7.4 and is rated as important. Microsoft’s advisory notes that complexity is high and successful exploitation requires the attacker to first prepare the target in order to improve reliability of an exploit. While no details have been provided, Microsoft assessed this vulnerability as “Exploitation More Likely.”

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

• Microsoft Access (CVE-2024-49142)
• Microsoft Excel (CVE-2024-49069)
• Input Method Editor (IME) (CVE-2024-49079)
• Lightweight Directory Access Protocol (LDAP) Client (CVE-2024-49124)

Qualys: CVE-2024-49124: Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability The Lightweight Directory Access Protocol (LDAP) operates a layer above the TCP/IP stack. The directory service protocol helps connect, browse, and edit online directories. The LDAP directory service is based on a client-server model that enables access to an existing directory. LDAP stores data in the directory and authenticates users to access the directory. An unauthenticated attacker must win a race condition and send a specially crafted request to a vulnerable server to exploit the vulnerability. Successful exploitation of the vulnerability may allow an attacker to execute code in the context of the SYSTEM account.

• Microsoft Message Queuing (MSMQ) (CVE-2024-49118, CVE-2024-49122)

Qualys: CVE-2024-49122 & CVE-2024-49118: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability Message Queuing (MSMQ) is a protocol developed by Microsoft to ensure reliable communication between Windows computers across different networks, even when a host is temporarily not connected (by maintaining a message queue of undelivered messages). To exploit this vulnerability, an attacker must send a malicious MSMQ packet to an MSMQ server. On successful exploitation, an attacker may perform remote code execution on the server side.

Tenable: CVE-2024-49118, CVE-2024-49122 | Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

Tenable: CVE-2024-49118 and CVE-2024-49122 are RCE vulnerabilities in Microsoft Message Queuing (MSMQ). Both were assigned a CVSSv3 score of 8.1 and are rated as critical. According to both of the Microsoft advisories, successful exploitation requires an attacker winning a race condition. Despite this requirement, Microsoft assessed CVE-2024-49122 as “Exploitation More Likely” while CVE-2024-49118 was assessed as “Exploitation Less Likely” as the winning the race condition must occur “during the execution of a specific operation that recurs in a low frequency on the target system.”

Tenable: CVE-2024-49118 and CVE-2024-49122 brings the total to six RCE’s affecting MSMQ that were patched in 2024. One was addressed in the June Patch Tuesday (CVE-2024-30080) release, two addressed in the April Patch Tuesday (CVE-2024-26232, CVE-2024-26208) release and one in February's Patch Tuesday (CVE-2024-21363) release.

• Microsoft/Muzic (CVE-2024-49063)

ZDI: CVE-2024-49063 - Microsoft/Muzic Remote Code Execution Vulnerability. This bug is interesting for what it affects as much as what it could allow. If you aren’t familiar with it (I wasn’t), “Muzic is a research project on AI music that empowers music understanding and generation with deep learning and artificial intelligence.” It’s also pronounced [ˈmjuːzeik] for some reason. We’ve been wondering what bugs in AI would look like, and so far, they look like deserialization vulnerabilities. That’s what we have here. An attacker could gain code execution by crafting a payload that executes upon deserialization. Neat.

Security Feature Bypass (4)

• Chromium (CVE-2024-11110, CVE-2024-11114, CVE-2024-11115, CVE-2024-11117)

MS PT Extended: CVE-2024-11117 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11114 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11110 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11115 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Elevation of Privilege (28)

• Windows Resilient File System (ReFS) (CVE-2024-49093)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

• Windows Kernel (CVE-2024-49084)
• Microsoft Office (CVE-2024-43600, CVE-2024-49059)
• Windows Cloud Files Mini Filter Driver (CVE-2024-49114)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

• Windows Common Log File System Driver (CVE-2024-49088, CVE-2024-49090)

Qualys: Other Microsoft Vulnerability Highlights CVE-2024-49070 is a remote code execution vulnerability in Microsoft SharePoint. Successful exploitation of the vulnerability may lead to remote code execution. CVE-2024-49093 is an elevation of privilege vulnerability in Windows Resilient File System (ReFS). Upon successful exploitation, an attacker may gain SYSTEM privileges. CVE-2024-49114 is an elevation of privilege vulnerability in Windows Cloud Files Mini Filter Driver. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2024-49088 and CVE-2024-49090 are elevation of privilege vulnerabilities in the Windows Cloud Files Mini Filter Driver. Upon successful exploitation, an attacker may gain SYSTEM privileges.

Tenable: In addition to CVE-2024-49138, Microsoft patched two other CLFS driver EoP vulnerabilities: CVE-2024-49090, CVE-2024-49088, both assigned a CVSSv3 score of 7.8, were rated as important and assessed as “Exploitation More Likely” according to Microsoft’s Exploitability Index.

• Windows Kernel-Mode Driver (CVE-2024-49074)
• Windows Task Scheduler (CVE-2024-49072)
• Windows Virtualization-Based Security (VBS) Enclave (CVE-2024-49076)
• Windows Mobile Broadband Driver (CVE-2024-49073, CVE-2024-49077, CVE-2024-49078, CVE-2024-49083, CVE-2024-49092, CVE-2024-49110)
• Windows PrintWorkflowUserSvc (CVE-2024-49095, CVE-2024-49097)
• Microsoft SharePoint (CVE-2024-49068)

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

• Azure Stack HCI (CVE-2024-49060)

MS PT Extended: CVE-2024-49060 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

• Microsoft Copilot Studio (CVE-2024-49038)

MS PT Extended: CVE-2024-49038 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

• System Center Operations Manager (CVE-2024-43594)
• Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49081, CVE-2024-49094, CVE-2024-49101, CVE-2024-49109, CVE-2024-49111)
• WmsRepair Service (CVE-2024-49107)

Information Disclosure (8)

• Microsoft Edge (CVE-2024-49025)

MS PT Extended: CVE-2024-49025 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

• Windows File Explorer (CVE-2024-49082)
• Microsoft SharePoint (CVE-2024-49062, CVE-2024-49064)

Tenable: In addition to CVE-2024-49070, Microsoft patched two information disclosure vulnerabilities (CVE-2024-49062, CVE-2024-49064) and an EoP vulnerability (CVE-2024-49068) in Microsoft SharePoint.

• Windows Mobile Broadband Driver (CVE-2024-49087)
• Windows Wireless Wide Area Network Service (WwanSvc) (CVE-2024-49098, CVE-2024-49099, CVE-2024-49103)

Denial of Service (5)

• Windows Lightweight Directory Access Protocol (LDAP) (CVE-2024-49113, CVE-2024-49121)
• Windows Remote Desktop Gateway (RD Gateway) (CVE-2024-49129)
• Windows Remote Desktop Services Denial of Service Vulnerability (CVE-2024-49075)

Tenable: In addition to these nine RCE’s, Microsoft addressed CVE-2024-49075, a DoS vulnerability affecting Remote Desktop Services.

• Microsoft Message Queuing (MSMQ) (CVE-2024-49096)

Authentication Bypass (1)

• Azure (CVE-2024-49052)

MS PT Extended: CVE-2024-49052 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Memory Corruption (4)

• Chromium (CVE-2024-11112, CVE-2024-11113, CVE-2024-11395, CVE-2024-12053)

MS PT Extended: CVE-2024-12053 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11395 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11113 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11112 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Cross Site Scripting (2)

• Chromium (CVE-2024-11111, CVE-2024-11116)

MS PT Extended: CVE-2024-11116 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-11111 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

Spoofing (4)

• Microsoft Edge (CVE-2024-49041, CVE-2024-49054)

MS PT Extended: CVE-2024-49041 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

MS PT Extended: CVE-2024-49054 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

• Microsoft Dynamics 365 Sales (CVE-2024-49053)

MS PT Extended: CVE-2024-49053 was published before December 2024 Patch Tuesday from 2024-11-13 to 2024-12-09

• Microsoft Defender for Endpoint on Android (CVE-2024-49057)