Exposures, Exposed! Weekly Round-up December 9 – December 15

Welcome to the early holiday season edition of Exposures Exposed! As we dive into the festive spirit, it’s time to stay vigilant against cyber threats that could steal more than your holiday cheer. This week, our experts have uncovered critical vulnerabilities and exposures that could put a damper on your season of joy. So, grab a cup of cocoa, cozy up by the fire, and unwrap the latest insights to keep your defenses merry and bright!

CISA Adds Microsoft CLFS Flaw to Exploited Catalog  

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-49138, a Microsoft Windows Common Log File System (CLFS) vulnerability, to its Known Exploited Vulnerabilities catalog. This flaw, with a CVSS score of 7.8, was addressed in Microsoft’s December 2024 Patch Tuesday updates.  

The vulnerability, a heap-based buffer overflow, allows attackers to escalate privileges to SYSTEM level. While Microsoft has not provided details on attacks exploiting this flaw, it has been classified as a zero-day vulnerability.  

Federal agencies are required to address this issue by December 31, 2024, as mandated by Binding Operational Directive 22-01. CISA urges private organizations to review the catalog and fix vulnerabilities to protect their networks.  

The Takeaway: Address CVE-2024-49138 in all affected systems immediately. Learn more here.  

Microsoft Patches 70 Vulnerabilities in December Update  

Microsoft issued fixes for 70 vulnerabilities across Windows, Office, and Edge in its final Patch Tuesday update of 2024. The update addressed 16 critical flaws and 54 important issues, bringing the total number of CVEs patched by Microsoft this year to 1,020, the second-highest since 2020.  

One actively exploited vulnerability, CVE-2024-49138, was highlighted. This elevation of privilege flaw in the Windows Common Log File System could enable attackers to achieve root access when combined with other flaws. Researchers warn this tactic is common in ransomware and phishing campaigns.  

Another concern is CVE-2024-49112, a bug in Windows LDAP that allows remote code execution and could compromise domain controllers. Other critical flaws include remote code execution bugs in Hyper-V and Remote Desktop Services.  

The Takeaway: Install all December security updates promptly to mitigate risks. Learn more here.  

Ivanti Releases Updates to Fix Critical Security Flaws  

Ivanti has issued security updates to address multiple critical vulnerabilities in its Cloud Services Application (CSA), Connect Secure, and Policy Secure products. These flaws include authentication bypass, command injection, SQL injection, and insecure permissions, with CVSS scores ranging from 8.8 to 10.0.  

Among the most severe is CVE-2024-11639, an authentication bypass vulnerability in Ivanti CSA that allows unauthenticated attackers to gain administrative access. Other flaws, such as CVE-2024-11772 and CVE-2024-11633, enable remote code execution when exploited by attackers with admin privileges.  

Ivanti has released updates to mitigate these risks, including CSA version 5.0.3, Connect Secure version 22.7R2.4, and Policy Secure version 22.7R1.2. Although there is no evidence of active exploitation, Ivanti urges users to update immediately due to past incidents of attackers targeting its software.  

The Takeaway: Apply Ivanti's latest security updates to prevent exploitation. Learn more here.  

Adobe Fixes Over 160 Vulnerabilities Across Multiple Products  

Adobe has released updates to address over 160 vulnerabilities in 16 of its products as part of its December 2024 Patch Tuesday. The affected software includes Experience Manager, Connect, Animate, InDesign, Acrobat, Reader, and several others.  

Approximately 90 flaws were patched in Adobe Experience Manager, most of which were medium-severity issues allowing arbitrary code execution and security bypass. CVE-2024-43711 is the only critical vulnerability in this product.  

Adobe Animate had more than a dozen critical vulnerabilities that could enable arbitrary code execution. Nine flaws were addressed in both InDesign and Substance 3D Modeler, while smaller numbers were fixed in Substance 3D Sampler and Painter.  

Other patched software includes Acrobat, Reader, Media Encoder, Illustrator, and individual issues in Photoshop, FrameMaker, and Premiere Pro.  

Adobe stated it has not observed active exploitation of these vulnerabilities but recommends users apply updates promptly.  

The Takeaway: Install Adobe’s latest updates to secure affected products. Learn more here.  

Google Releases Update to Fix Three Chrome Flaws  

Google has issued a critical security update for its Chrome browser, addressing three high-severity vulnerabilities. The update, version 131.0.6778.139/.140 for Windows and Mac and 131.0.6778.139 for Linux, is rolling out gradually.  

The first flaw, CVE-2024-12381, is a type confusion issue in Chrome’s V8 JavaScript engine. Discovered by researcher Seunghyun Lee, it could allow attackers to execute arbitrary code or crash systems. The second, CVE-2024-12382, is a use-after-free vulnerability in Chrome’s Translate feature, reported by a researcher from the TIANGONG Team. The third flaw has not been disclosed to prevent potential exploitation.  

Google recommends users update Chrome immediately. Updates occur automatically, but users can check manually by navigating to settings and selecting “About Chrome.”  

The Takeaway: Ensure Chrome is updated to the latest version immediately. Learn more here.  

SAP Addresses Critical Vulnerabilities in December Patch Update  

SAP has released nine new and four updated security notes as part of its December 2024 Security Patch Day. The updates include fixes for three vulnerabilities in NetWeaver AS for JAVA (Adobe Document Services), one of which, CVE-2024-47578, is marked as critical with a CVSS score of 9.1.  

The critical flaw allows attackers with administrative privileges to send crafted requests from vulnerable web applications, resulting in a server-side request forgery that can compromise the entire system. Two additional vulnerabilities, CVE-2024-47579 and CVE-2024-47580, could enable file access on the server but require administrative access.  

Other updates address an authenticated information disclosure bug (CVE-2024-54198) and a high-severity server-side request forgery vulnerability in NetWeaver, among others. SAP advises users to apply these security notes promptly, even though no evidence suggests active exploitation.  

The Takeaway: Apply SAP’s December 2024 security updates immediately to address critical risks. Learn more here.  

OpenWrt Fixes Critical Vulnerability in Sysupgrade Server  

OpenWrt has released a fix for a critical vulnerability, CVE-2024-54143, affecting its sysupgrade server. The flaw, which requires no authentication, arises from a command injection issue in Imagebuilder and truncated SHA-256 hash collisions. These vulnerabilities allow attackers to compromise build artifacts and inject malicious firmware images during the attended firmware upgrade process.  

According to OpenWrt, attackers could exploit these issues to compromise firmware delivered via the sysupgrade.openwrt.org service, potentially affecting the integrity of user devices. OpenWrt has urged users to apply the released patches immediately to prevent malicious firmware installations and ensure the integrity of system updates.  

The Takeaway: Apply OpenWrt's latest security patches immediately to safeguard against firmware compromises. Learn more here.  

That’s all for this week – have any exposures to add to our list? Let us know!

Read our latest blog "Extend Exposure Management to Protect Legacy and OT Systems":