Trending vulnerability digest December 2024

In December, we classified four vulnerabilities as trending. These represent the most dangerous security flaws, either currently being widely exploited by cybercriminals or likely to be exploited in the near future.
Two vulnerabilities (CVE-2024-38144 and  CVE-2024-49138) that, if exploited, allow attackers to obtain SYSTEM-level privileges—the highest level of privileges in Windows—were discovered in Microsoft products. By exploiting these vulnerabilities, an attacker can gain full control over compromised devices, steal confidential data, or inject malicious software.
A third vulnerability (CVE-2024-11972) was found in the Hunk Companion plugin designed to enhance and extend the functionality of ThemeHunk themes for the WordPress content management system. This vulnerability is critically dangerous. By exploiting this vulnerability, the attackers can install other outdated plugins containing vulnerabilities on a WordPress site. This way, they can take control of the web server hosting the site.
The fourth vulnerability (CVE-2024-53677) was found in the Apache Struts web application framework. By exploiting this vulnerability, attackers can perform a directory traversal attack¹, upload arbitrary files to the server, and execute them, allowing them to run malicious code within the system and ultimately gain control over the web server.
Read more about these vulnerabilities, cases of their exploitation, and remediation methods in the digest.

According to The Verge, the following vulnerabilities can affect approximately one billion devices. Any users with outdated versions of Windows are potentially at risk.

The ksthunk.sys driver vulnerability related to privilege escalation via buffer overflow in Windows

CVE-2024-38144 (CVSS score: 8.8; high severity)

A vulnerability in the CKSAutomationThunk::ThunkEnableEventIrp function of the ksthunk.sys driver, which is used to ensure compatibility of 32-bit programs that are running on 64-bit systems. The vulnerability arises due to the lack of overflow checking when aligning buffer size during the processing of input and output data. This vulnerability allows for privilege escalation through heap overflow, which occurs after manipulating the buffer size and subsequent copying. A local attacker who runs a specially crafted application on the target system can gain SYSTEM-level privileges. This gives the attackers complete control over the system, enabling them to perform any operations, including installing malicious software, stealing data, and altering system settings.
Signs of exploitation: Microsoft does not confirm any successful exploitations of the vulnerability.
Potential number of victims: all Windows users who haven't downloaded the latest security updates.
Publicly available exploits: the exploit was published with open access.
 

Vulnerability in the CLFS.sys driver related to privilege escalation through buffer overflow in Windows

CVE-2024-49138 (CVSS score: 7.8; high severity)

The vulnerability in the CLFS.sys driver, which is used for the Common Log File System (CLFS) log file subsystem in Windows, is related to a buffer overflow in dynamic memory. Exploiting this vulnerability is possible if an attacker runs a specially crafted application that creates malicious CLFS log files on a vulnerable system. Such an attack can allow a local attacker to escalate their privileges to SYSTEM level and gain full control over the operating system.
Signs of exploitation: Microsoft notes cases of the vulnerability's exploitation. CrowdStrike reports that this vulnerability is being actively exploited by malicious actors.
Potential number of victims: all Windows users who haven't downloaded the latest security updates.
Publicly available exploits: the PoC was published with open access.

Mitigation: install the security updates available on the Microsoft website (CVE-2024-38144, CVE-2024-49138).
 

Vulnerability related to installing vulnerable plugins via the Hunk Companion WordPress plugin

CVE-2024-11972 (CVSS score: 9.8; critical severity)

The vulnerability found in this plugin is cased by improper privilege handling in the API call for adding a theme at /wp-json/hc/v1/themehunk-import. As a result, a malicious actor can remotely execute unauthenticated requests, which can be used for unauthorized installation of outdated plugins containing known vulnerabilities. By exploiting these security flaws in the plugins, the attacker can bypass security parameters, alter database entries, execute malicious code, or gain unauthorized administrative access to the site. In documented successful exploitation cases, attackers installed the WP Query Console plugin, which has a critically dangerous RCE vulnerability² that allows attackers to execute arbitrary malicious PHP code.
Signs of exploitation: WPScan reports instances of vulnerability exploitation.
Number of potential victims: according to WordPress, over 6,800 users currently have the vulnerable version installed.
Publicly available exploits: the exploit was published with open access.
Mitigation: all users are advised to update the Hunk Companion plugin to version 1.9 or later.
 

Directory traversal vulnerability in Apache Struts

CVE-2024-53677 (CVSS score: 9.0; critical severity)

The Apache Struts framework is used for creating Java web applications. To successfully exploit the vulnerability, an attacker needs to send a specially crafted HTTP request³ to the web application running on Apache Struts. This request leverages a directory traversal vulnerability in the file upload mechanism, allowing the attacker to upload arbitrary files to the server, which could lead to the execution of malicious code on the server side. As a result, all applications using the vulnerable version of the framework are at risk of mass attacks, with potential consequences ranging from data loss to the complete shutdown of all services.
Signs of exploitation: GreyNoise observed several malicious hosts attempting to exploit the vulnerability; however, no data on successful attacks has been reported.
Number of potential victims: according to Maven Central, the vulnerable version of the framework has been installed about 40,000 times.
Publicly available exploits: the exploit was published with open access.
Mitigation: all users are advised to upgrade Apache Struts to version 6.4.0 (or later) and adopt the new file upload mechanism, which is not backward compatible with the old one.

Using solutions containing trending vulnerabilities can jeopardize any company. These security flaws are the most dangerous and require immediate remediation. In the MaxPatrol VM vulnerability management system, information about trending vulnerabilities is received within 12 hours of their detection to help eliminate threats quickly and protect company infrastructure. Additionally, we recommend using web application firewalls, such as PT Application Firewall, which help secure public resources.
This digest provides examples of vulnerabilities that attackers have been exploiting recently. Information about these vulnerabilities and publicly available exploits is accurate as of December 31, 2024.