Microsoft

Security Advisory

Zero-Day Vulnerability in Windows Exposes NTLM Credentials

Summary

OEM

Microsoft

Severity

Critical

Date of Announcement

2024-12-12

CVE

Not yet assigned

Exploited in Wild

No

Patch/Remediation Available

Yes (No official patch)

Advisory Version

1.0

Vulnerability Name

NTLM Zero-Day

Overview

A recently discovered zero-day vulnerability in Windows, enables attackers to steal user credentials through a malicious file viewed in File Explorer. This “clickless” exploit bypasses the need for user interaction, creating significant security risks. While Microsoft investigates, 0patch has released an unofficial micropatch to mitigate the threat. Users are advised to apply the patch or implement mitigations to reduce exposure.

Vulnerability Name

CVE ID

Product Affected

Severity

NTLM zero-day

Not Yet Assigned

Microsoft Windows

Critical

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

Not Yet Assigned

Windows 7 to 11 (24H2), Server 2008 R2 to 2022

A zero-day vulnerability that allows NTLM credential theft by viewing a malicious file in File Explorer. The flaw forces an outbound NTLM connection, leaking NTLM hashes. Exploitation requires no user interaction beyond viewing a malicious file, which can be delivered through shared folders, USB drives, or malicious downloads in the browser's default folder.

Enables attackers to steal NTLM credentials and  gain unauthorized access of the affected systems.

Remediations

  • Apply the 0patch Micropatch:
    • Register for a free account at 0patch Central.
    • Install the 0patch agent to automatically receive the micropatch.
  • Disable NTLM Authentication:
    • Navigate to Security Settings > Local Policies > Security Options in Group Policy.
    • Configure “Network security: Restrict NTLM” policies to limit NTLM usage. 

General Recommendations

  • Only enable patches or configurations after testing them on non-critical devices to ensure minimal impact.
  • Stay updated on Microsoft’s response and the availability of an official patch through trusted news sources or Microsoft’s advisories.
  • Inform users about the risks of handling unfamiliar files and downloading content from untrusted sources.
  • Monitor systems for suspicious NTLM-related activity.

References

Security Advisory

Microsoft December 2024 Patch Tuesday: Critical Fixes for Zero-Day and Remote Code Execution

Summary

OEM

Microsoft

Severity

High

Date of Announcement

2024-12-12

NO. of Vulnerabilities Patched

71

Actively Exploited

01

Exploited in Wild

Yes

Advisory Version

1.0

Overview

Microsoft released updates addressing 71 vulnerabilities across its product suite, including 1 actively exploited zero-day vulnerability. Critical patches include fixes for remote code execution (RCE) flaws in Windows TCP/IP and Windows Common Log File System (CLFS). Immediate attention is required for systems running Windows Server, Microsoft Exchange, and other affected components. The patch targets a range of critical issues across Microsoft products, categorized as follows:

  • 30 Remote Code Execution (RCE) Vulnerabilities
  • 27 Elevation of Privilege (EoP) Vulnerabilities
  • 7 Information Disclosure Vulnerabilities
  • 4 Denial of Service (DoS) Vulnerabilities
  • 1Defense-in-depth improvement
  • 1 Spoofing Vulnerabilities

The highlighted vulnerabilities include one zero-day flaw and critical RCE vulnerabilities, one of which is currently being actively exploited.

Vulnerability Name

CVE ID

Product Affected

Impact

CVSS Score

Unauthenticated Remote Code Execution in Windows LDAP

CVE-2024-49112 

Windows

Critical

9.8

Remote Code Execution in Windows Hyper-V

CVE-2024-49117

Windows

High

8.8

Remote Code Execution via Use-After-Free in Remote Desktop Services

CVE-2024-49132

Windows

High

8.1

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVE-2024-49138

Windows

High

7.8

Technical Summary

CVE ID

System Affected

Vulnerability Details

Impact

CVE-2024-49112 

Microsoft Windows Lightweight Directory Access Protocol (LDAP)

This vulnerability allows attackers to execute arbitrary code at the LDAP service level by sending specially crafted LDAP calls to a Windows Domain Controller. While Microsoft recommends disconnecting Domain Controllers from the Internet as a mitigation, applying the patch is the best course of action.

Remote Code Execution

CVE-2024-49117

Microsoft Windows Hyper-V

This vulnerability can be exploited by an authenticated attacker to execute code on the host operating system from a guest virtual machine. Cross-VM attacks are also possible. Although the attacker must have basic authentication, the vulnerability poses significant risks to virtualized environments.

Remote Code Execution

CVE-2024-49132

Microsoft Windows Remote Desktop Services

An attacker can exploit a use-after-free memory condition in Remote Desktop Gateway, allowing RCE. Exploitation requires precise timing, which makes this an advanced attack. Successful exploitation grants attackers control over the affected system.

Allows an attacker to execute remote code on systems using Remote Desktop Gateway

CVE-2024-49138

Windows Common Log File System Driver

This critical security flaw affects the Windows Common Log File System Driver and is classified as an Elevation of Privilege vulnerability.

It allows attackers to gain SYSTEM privileges on Windows devices, potentially giving them full control over the affected system.

Additional Critical Patches Address High-Severity Vulnerabilities

  • These are the eight other critical vulnerabilities that are rated 8.1 on the CVSS scale in Remote Desktop Services (CVE-2024-49116, CVE-2024-49108, CVE-2024-49106, CVE-2024-49115, CVE-2024-49128, CVE-2024-49123, CVE-2024-49120, CVE-2024-49119).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49077).
  • Windows Mobile Broadband Driver Elevation of Privilege Vulnerability (CVE-2024-49132).

Remediation

  • Ensure all December 2024 Patch Tuesday updates are applied promptly.
  • Implement a routine patch management process to regularly check for and apply the latest Microsoft security updates and patches for all affected products.
  • Create and test an incident response plan with defined communication channels and responsibilities to ensure readiness for any security breaches.

References

https://msrc.microsoft.com/update-guide/releaseNote/2024-Dec

News Security Advisory

Re-release of November 2024 Exchange Server Security Updates

Microsoft users had a tough time to send or load attachments to emails when using Outlook, were unable to connect to the server, and in some cases could not log into their accounts.

Microsoft Exchange Online is a platform for business communication that has a mail server and cloud apps for email, contacts, and calendars.

Microsoft mitigated the issue after identification were able to determine the cause of the outages and is rolling out a fix for the issue. That rollout is gradual, however, as outage reports continue to come in at DownDetector.

Impact

The outage left many users unable to communicate with colleagues, particularly as it coincided with the start of the workday in Europe. Frustration quickly spread across social media, with users reporting issues accessing emails and participating in Teams calls

Re-release of November 2024 Exchange Server Security Updates 

Summary 

OEM  Microsoft 
Severity  High 
Date of Announcement  27/11/2024 
Product  Microsoft Exchange Server 
CVE ID  CVE-2024-49040 
CVSS Score  7.5 
Exploited in Wild  No 
Patch/Remediation Available  Yes 
Advisory Version  1.0 

Overview 

On November 27, 2024, Microsoft re-released the November 2024 Security Updates (SUs) for Exchange Server to resolve an issue introduced in the initial release on November 12, 2024. The original update (SUv1) caused Exchange Server transport rules to intermittently stop functioning, particularly in environments using transport or Data Loss Protection (DLP) rules. The updated version (SUv2) addresses this issue. 

Table of Actions for Admins: 

Scenario  Action Required 
SUv1 installed manually, and transport/DLP rules are not used  Install SUv2 to regain control over the X-MS-Exchange-P2FromRegexMatch header. 
SUv1 installed via Windows/Microsoft Update, no transport/DLP rules used  No immediate action needed; SUv2 will be installed automatically in December 2024. 
SUv1 installed and then uninstalled due to transport rule issues  Install SUv2 immediately. 
SUv1 never installed  Install SUv2 immediately. 

Remediation Steps 

1. Immediate Actions 

  • Use the Health Checker script to inventory your Exchange Servers and assess update needs. 
  • Install the latest Cumulative Update (CU) followed by the November 2024 SUv2. 

2. Monitor System Performance 

  • After enabling AMSI integration for message bodies, monitor for any performance issues such as delays in mail flow or server responsiveness. 

3. Run SetupAssist Script for Issues 

  • Use the SetupAssist script to troubleshoot issues with failed installations or update issues, and check logs for specific error details. 

References

Scroll to top