Zero-Day vulnerability (CVE-2024-49138) has been spotted in the field
CVE-2024-49138 is a privilege escalation vulnerability within the Microsoft Windows Common Log File System (CLFS) driver, and is rated as Critical. CrowdStrike Counter Adversary Operations discovered this vulnerability and specifically reported this vulnerability to Microsoft, which subsequently acknowledged, patched, and confirmed its active exploitation.
Table 1. Microsoft Windows Zero DaySeverityCVSS ScoreCVEDescriptionImportant7.8CVE-2024-49138Windows Common Log File System Elevation of Privilege Vulnerability
Three critical vulnerabilities in the Lightweight Directory Access Protocol (LDAP) client.
CVE-2024-49112 is a critical RCE vulnerability affecting the Windows LDAP client with a CVSS score of 9.8. This vulnerability could allow an unprivileged attacker to run arbitrary code on an Active Directory server by sending a specialized set of LDAP calls to the server. Microsoft recommends that all Active Directory servers be configured to not accept remote procedure calls (RPCs) from untrusted networks in addition to patching this vulnerability. Due to the ease of exploitation and the high risk this vulnerability poses to your Active Directory environment, it must be mitigated and patched quickly.
CVE-2024-49124 is a critical RCE vulnerability affecting the Windows LDAP client with a CVSS score of 8.1. Successful exploitation of this vulnerability would allow an unauthenticated, remote attacker to use a specially crafted packet that leverages the cryptographic protocol within Windows Kerberos to perform RCE.
CVE-2024-49127 is a critical RCE vulnerability in the Windows LDAP Client with a CVSS score of 8.1. An unauthenticated attacker can send a specially crafted request to a vulnerable server. Successful exploitation of this vulnerability requires the attacker to win a race condition, which could allow the attacker to execute code in the system account.
Table 2. Windows Lightweight Directory Access Protocol (LDAP) Critical Vulnerability, Severity, CVSSCVE ScoreDescriptionCritical9.8CVE-2024-49112 Windows Lightweight Directory Access Protocol (LDAP) Remoteness Vulnerability, Critical8.1CVE- 2024-49124, Windows Lightweight Directory Access Protocol (LDAP) client remote code execution vulnerability Critical8.1CVE-2024-49127Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability
Serious vulnerability in Windows Hyper-V
CVE-2024-49117 is a critical RCE vulnerability affecting Windows Hyper-V with a CVSS score of 8.8. This vulnerability could require an authenticated attacker on a guest virtual machine (VM) to send crafted file playback requests on the VM to hardware resources on the VM, which could lead to an RCE on the host server. This vulnerability, although described as “remote”, actually requires local access to exploit. It allows arbitrary code to be executed, but the vulnerable endpoint can only be accessed through the local VM interface, meaning the attacker must already have access to the local machine to carry out the attack.
Table 3. Critical Vulnerability in Windows Hyper-VSeverityCVSS ScoreCVEDescriptionCritical8.8CVE-2024-49117Windows Hyper-V
Two critical vulnerabilities in Microsoft Message Queuing
CVE-2024-49118 and CVE-2024-49122 are critical RCE vulnerabilities affecting Microsoft Message Queuing (MSMQ) and both have a CVSS score of 8.1. Successful exploitation of these vulnerabilities requires the attacker to win a race condition. The attacker would need to send a specially crafted malicious MSMQ packet to the MSMQ server. This may lead to RCE on the server side.
MSMQ was highlighted in CrowdStrike Patch blogs last Tuesday and the vulnerabilities are still being revealed. MSMQ represents an attractive target for attackers due to its prevalent use of highly available services such as Active Directory. The Windows Message Queue service must be enabled, and network traffic allowed on TCP port 1801, for an attacker to successfully exploit this vulnerability on a targeted system. In addition to patching, Microsoft recommends checking whether Message Queuing is running and that TCP port 1801 is listening on the device; If the service is running and not being used, consider disabling it.
Table 4. Critical Vulnerabilities in Microsoft Message Queuing (MSMQ) Severity CVSSCVEDescriptionCritical8.1CVE-2024-49118 Vulnerability in Microsoft Remote Message Queuing Critical8.1CVE-2024-49122 Vulnerability in Microsoft Remote Message Queuing
Serious vulnerability in Windows Local Security Authority Subsystem (LSASS) service
CVE-2024-49126 is a critical RCE vulnerability affecting the Windows Local Security Authority Subsystem (LSASS) service with a CVSS score of 8.1. Successful exploitation of this vulnerability requires the attacker to win a race condition. This vulnerability allows an attacker to execute arbitrary code on the server remotely without requiring special privileges or user interaction. An attacker could exploit this vulnerability over a network connection, potentially taking control of the server by running malicious code in the context of the server account.
Table 5. Critical Vulnerability in the Windows Local Security Authority Subsystem (LSASS) ServiceSeverityCVSSCVEDescriptionCritical8.1CVE-2024-49126Windows Local Security Authority Subsystem (LSASS) Service
Nine critical vulnerabilities in Windows Remote Desktop Services
The following nine vulnerabilities are critical RCE vulnerabilities affecting Windows Remote Desktop Services, all of which have a CVSS score of 8.1. An attacker could successfully exploit these vulnerabilities by connecting to a system with the Remote Desktop Gateway role, triggering a race condition to create a use-after-use scenario, and then leveraging that to execute arbitrary code.
Not all relevant vulnerabilities have patches: consider mitigation strategies
As we've learned with other high-profile vulnerabilities, such as Log4j, not all exploitable vulnerabilities can be easily patched. As with the ProxyNotShell vulnerabilities, it is extremely important to develop a response plan for how to defend your environments in the absence of a patching protocol.
Regularly reviewing your patching strategy should remain part of your program, but you should also look more holistically at your organization's approaches to cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events daily from millions of sensors deployed in 176 countries. Watch this demo to see the Falcon platform in action.
He learns more
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposure here.
About CVSS results
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard used by CrowdStrike and many other cybersecurity organizations to assess and report the severity and characteristics of software vulnerabilities. The base CVSS score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating to the CVSS scores. Learn more about logging vulnerabilities in this article.
Additional resources
