Alert essentials:
Limited detail is available, but patches were released and should be deployed to systems immediately.
Detailed threat description:
A heap-based overflow vulnerability in the Microsoft Windows Common Log File System (CLFS) driver is being actively exploited.
This vulnerability has been found in every Windows Operating System since the release of Server 2008 and can provide hackers with full access.
Details are scarce to allow users time to apply patches, but we know the attack is low-complexity and does not require authentication. CVE-2024-49138 manipulates the CLFS’s memory management to enable a privilege elevation increase to the system level, providing complete control over the target network.
While the exact method of exploitation has not been revealed, this weakness has been weaponized and should be patched. Some reports state a public proof-of-concept is available, but that has not been confirmed as of this writing.
The risk has a cvss score of 7.8 and has been added to CISAs Known Exploitable Vulnerabilities. Organizations are strongly advised to prioritize this update to mitigate potential risks as attackers continue targeting unpatched systems.
Impacts on healthcare organizations:
A whole network compromise will have severe and long-lasting consequences for any organization. In healthcare, it will result in delays in surgeries and procedures, inaccessible health records, and the inability to provide patient care adequately.
Patients may lose confidence in the organization’s ability to protect their sensitive health information, leading to a decline in patient loyalty and a tarnished reputation for the provider.
Healthcare organizations should incorporate robust cybersecurity measures and proactive reputation management strategies.
Affected Products / Versions:
The vulnerability affects all Windows OS editions released since 2008.
CVEs
CVE-2024-49138
KBs
5048652, 5048653, 5048654, 5048661, 5048667, 5048671, 5048676, 5048685, 5048695, 5048699, 5048703, 5048710, 5048735, 5048744, 5048794, 5048800
Recommendations
Engineering recommendations:
- Apply the official patch from Microsoft as soon as possible
- Implement the principle of least privilege to minimize the potential impact of successful exploits
- Monitor system logs for suspicious activities related to the Common Log File System Driver
- Restrict local access to systems where possible, as the vulnerability requires local access to exploit
- Keep all Windows systems and software up to date with the latest security updates
- Use endpoint detection and response (EDR) tools to detect and prevent potential exploitation attempts
Leadership/ Program recommendations:
- Ensure adherence to CISA’s directive for Federal agencies to patch by December 31, 2024
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- AlienVault: https://otx.alienvault.com/indicator/cve/CVE-2014-2120
- CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2120Cisco
- Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-CVE-2014-2120
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2014-2120