The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” 

Microsoft assessed that exploitation of the four “critical” vulnerabilities is “less likely.” 

CVE-2024-49112 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Windows Lightweight Directory Access Protocol (LDAP) calls to execute arbitrary code within the context of the LDAP service. Additionally, CVE-2024-49124 and CVE-2024-49127 permit an unauthenticated attacker to send a specially crafted request to a vulnerable LDAP server, potentially executing the attacker's code if they succeed in a "race condition." Although the above vulnerabilities are marked as "critical" and with high CVSS, Microsoft has determined that exploitation is "less likely." 

CVE-2024-49126 - Windows Local Security Authority Subsystem Service (LSASS) remote code execution vulnerability. An attacker with no privileges could target the server accounts and execute malicious code on the server's account through a network call. Despite being considered “critical”, the successful exploitation of this vulnerability requires an attacker to win a “race condition” which complexity is high, Microsoft has determined that exploitation is "less likely." 

CVE-2024-49105 is a "critical" remote code execution vulnerability in a remote desktop client. Microsoft has assessed exploitation of this vulnerability as "less likely". An authenticated attacker could exploit by triggering remote code execution on the server via a remote desktop connection using Microsoft Management Console (MMC). It has not been detected in the wild. 

CVE-2024-49117 is a remote code execution vulnerability in Windows Hyper-V. Although marked as "critical," Microsoft has determined that exploitation is "less likely." The exploit needs an authenticated attacker and locally on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM and trigger remote code execution on the host server. Microsoft has not detected active exploitation of this vulnerability in the wild. 

CVE-2024-49106, CVE-2024-49108, CVE-2024-49115, CVE-2024-49119 and CVE-2024-49120, CVE-2024-49123, CVE-2024-49132, CVE-2024-49116, CVE-2024-49128 are remote code execution vulnerabilities in Windows Remote Desktop Gateway (RD Gateway) Service. An attacker could exploit this by connecting to a system with the Remote Desktop Gateway role, triggering the “race condition” to create a “use-after-free” scenario, and then leveraging the execute arbitrary code. Although marked as "critical," Microsoft has determined that exploitations are "less likely" and the attack complexity considered “high.” Microsoft has not detected active exploitation of these vulnerabilities in the wild. 

CVE-2024-49122 and CVE-2024-49118 are remote code execution vulnerabilities in Microsoft Message Queuing (MSMQ) which is a queue manager in Microsoft Windows system. An attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server and win the “race condition” that is able to exploit on the server side which also means the attack complexity is “high”. While considered “critical” those were determined that exploitation is “less likely” and not been detected in the wild. 

CVE-2024-49138 is an elevation of privilege vulnerability in Windows Common Log File System Driver, and while it only has a 7.8 out of 10 CVSS score, it has been actively exploited in the wild. 

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited:  

  • CVE-2024-49070 - Microsoft SharePoint Remote Code Execution Vulnerability 
  • CVE-2024-49093 - Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability 
  • CVE-2024-49088 and CVE-2024-49090 - Windows Common Log File System Driver Elevation of Privilege Vulnerability 
  • CVE-2024-49114 - Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64308, 64309, 64310, 64311, 64313, 64314, 63874, 63875, 64312, 64306, 64307. There are also these Snort 3 rules 301085, 301086, 301087, 300987, 64312, 301084