Zero-Day Vulnerability (CVE-2024-49138) Exploit Observed in the Wild 

CVE-2024-49138 is a privilege escalation vulnerability within the Microsoft Windows Common Log File System (CLFS) driver, categorized as Important in severity. CrowdStrike Counter Adversary Operations discovered and privately reported this vulnerability to Microsoft, which subsequently acknowledged, patched and confirmed its active exploitation in the wild.

Table 1. Zero-day in Microsoft Windows
Severity CVSS Score CVE Description
Important 7.8 CVE-2024-49138 Windows Common Log File System Elevation of Privilege Vulnerability

Three Critical Vulnerabilities in Lightweight Directory Access Protocol (LDAP) Client

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
CVE-2024-49118 and CVE-2024-49122 are Critical RCE vulnerabilities affecting Microsoft Message Queuing (MSMQ) and both have a CVSS score of 8.1. Successful exploitation of these vulnerabilities requires an attacker to win a race condition. An attacker would need to send a specially crafted malicious MSMQ packet to a MSMQ server. This could result in RCE on the server side.
CVE-2024-49124 is a Critical RCE vulnerability affecting the Windows LDAP Client with a CVSS score of 8.1. Successful exploitation of this vulnerability would allow an unauthenticated remote attacker to use a specially crafted packet to leverage a cryptographic protocol within Windows Kerberos to carry out RCE. 

Table 2. Critical vulnerabilities in Windows Lightweight Directory Access Protocol (LDAP)
Severity CVSS Score CVE Description
Critical 9.8 CVE-2024-49112 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49124 Windows Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49127 Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

A Critical Vulnerability in Windows Hyper-V

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture. 

Table 3. Critical vulnerability in Windows Hyper-V
Severity CVSS Score CVE Description
Critical 8.8 CVE-2024-49117 Windows Hyper-V

Two Critical Vulnerabilities in Microsoft Message Queueing 

MSMQ has been highlighted in past CrowdStrike Patch Tuesday blogs and continues to see vulnerabilities disclosed. MSMQ represents an attractive target for attackers due to its prevalent use of high-availability services such as Active Directory. The Windows message queuing service needs to be enabled, and network traffic allowed on TCP port 1801, for an attacker to successfully exploit this vulnerability on a target system. In addition to patching, Microsoft recommends checking if the “Message Queuing” service is running and TCP port 1801 is listening on the machine; if the service is running and not being utilized, consider disabling.
CVE-2024-49117 is a Critical RCE vulnerability affecting Windows Hyper-V with a CVSS score of 8.8. This vulnerability would require an authenticated attacker on a guest virtual machine (VM) to send specially crafted file operation requests on the VM to hardware resources on the VM, which could result in RCE on the host server. This vulnerability, while described as “remote,” actually requires local access to exploit. It allows arbitrary code execution, but the vulnerable endpoint is only accessible through the local VM interface, meaning an attacker must already have access to the local machine to carry out the attack.

Table 4. Critical vulnerabilities in Microsoft Message Queueing (MSMQ)
Severity CVSS Score CVE Description
Critical 8.1 CVE-2024-49118 Microsoft Message Queuing Remote Code Execution Vulnerability
Critical 8.1 CVE-2024-49122 Microsoft Message Queuing Remote Code Execution Vulnerability

A Critical Vulnerability in Windows Local Security Authority Subsystem Service (LSASS)

CVE-2024-49112 is a Critical RCE vulnerability affecting the Windows LDAP Client with a CVSS score of 9.8. This vulnerability could allow an unprivileged attacker to run arbitrary code on an Active Directory Server by sending a specialized set of LDAP calls to the server. Microsoft recommends that all Active Directory servers be configured to not accept Remote Procedure Calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the significant risk this vulnerability poses to the Active Directory environment, it should be mitigated and patched quickly. 

Table 5. Critical vulnerability in Windows Local Security Authority Subsystem Service (LSASS)
Severity CVSS Score CVE Description
Critical 8.1 CVE-2024-49126 Windows Local Security Authority Subsystem Service (LSASS)

Nine Critical Vulnerabilities in Windows Remote Desktop Services

CVE-2024-49126 is a Critical RCE vulnerability affecting Windows Local Security Authority Subsystem Service (LSASS) with a CVSS score of 8.1. Successful exploitation of this vulnerability requires an attacker to win a race condition. This vulnerability allows an attacker to remotely execute arbitrary code on a server without requiring special privileges or user interaction. The attacker can exploit this weakness through a network call, potentially gaining control over the server by running malicious code in the context of the server’s account.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

CVE-2024-49127 is a Critical RCE vulnerability in the Windows LDAP Client with a CVSS score of 8.1. An unauthenticated attacker could send a specially crafted request to a vulnerable server. Successful exploitation of this vulnerability requires an attacker to win a race condition, which could then allow the attacker to execute code in the SYSTEM account.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The following nine vulnerabilities are Critical RCE vulnerabilities affecting Windows Remote Desktop Services, and all have a CVSS score of 8.1. An attacker could successfully exploit these vulnerabilities by connecting to a system with the Remote Desktop Gateway role, triggering a race condition to create a use-after-free scenario, and then leveraging this to execute arbitrary code.

Learn More

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

Similar Posts