CLFS Bug Crashes Even Updated Windows 10, 11 Systems

Share This Post

A simple bug in the Common Log File System (CLFS) driver can instantly trigger the infamous blue screen of death across any recent versions of Windows.

CLFS is a user- and kernel-mode logging service that helps applications record and manage logs. It’s also a popular target for hacking.

While experimenting with its driver last year, a Fortra researcher discovered an improper validation of specified quantities in input data which allowed him to trigger system crashes at will. His proof of concept (PoC) exploit worked across all versions of Windows tested — including 10, 11, and Windows Server 2022 — even in the most up-to-date systems.

“It’s very simple to run: run a binary, call a function, and that function causes the system to crash,” explains Tyler Reguly, associate director of security R&D at Fortra. To demonstrate just how simple it is, he adds that “I probably shouldn’t admit to this, but in dragging and dropping it from system to system today, I accidentally double clicked it, and I crashed my server.”

BSoD From CLFS

The underlying issue — labeled CVE-2024-6768 — concerns base log files (BLFs), a type of CLFS file that contains metadata used for managing logs.

The CLFS.sys driver, it seems, does not adequately validate the size of data within a particular field — “IsnOwnerPage” — in the BLF. Any attacker with access to a Windows system can craft a file with incorrect size information to, in effect, confuse the driver. Then, unable to resolve the inconsistency, it triggers KeBugCheckEx, the function that triggers a blue screen crash.

CVE-2024-6768 has earned a “medium” 6.8 out of 10 score on the CVSS scale. It doesn’t affect the integrity or confidentiality of data, nor cause any kind of unauthorized system control. It does, however, allow for wanton crashes that can disrupt business operations or potentially cause data loss.

Or, as Reguly explains, it can be paired with other exploits to greater effect. “It’s a good way for an attacker to maybe cover their tracks, or take down a service where they otherwise shouldn’t be able to, and I think that’s where the real risk comes in,” he says. “These systems reboot unexpectedly, [you] ignore the crash because it came back up and it’s fine now, but that might have been somebody hiding their activity — hiding the fact that they wanted it to reboot so that a new setting would take effect.”

No Fix in Sight

Fortra first reported its findings last Dec. 20. After months of back and forth, Reguly says, Microsoft closed their investigation without acknowledging it as a vulnerability or applying a fix. Thus, as of this writing, it persists in Windows systems no matter how updated they are.

In recent weeks, Windows Defender has been identifying Fortra’s PoC as malware. But besides running Windows Defender and trying to avoid running any binary that exploits it, there’s nothing organizations can do to deal with CVE-2024-6768 until Microsoft releases a patch.

Dark Reading has reached out to Microsoft for its input on CVE-2024-6768.

https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blte38db877744128d6/66b53bfdd67a131b5e98054e/Blue_screen_of_death-Maurice_Savage-Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop

This post was originally published on this site

More Articles

Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.