CLFS Bug Crashes Even Updated Windows 10, 11 Systems

  /     /     /  
Publicated : 23/11/2024   Category : security


CLFS Bug Crashes Even Updated Windows 10, 11 Systems


A quick and easy exploit for crashing Windows computers has no fix yet nor really any way to mitigate its effects.



UPDATE
A simple bug in the Common Log File System (CLFS) driver can instantly trigger the infamous blue screen of death across any recent versions of Windows.
CLFS is a user- and kernel-mode logging service that helps applications record and manage logs. Its also a popular
target for hacking
.
While experimenting with its driver last year, a Fortra researcher discovered an improper validation of specified quantities in input data which allowed him to trigger system crashes at will. His proof of concept (PoC) exploit worked across all versions of Windows tested — including 10, 11, and Windows Server 2022 — even in the most up-to-date systems.
Its very simple to run: run a binary, call a function, and that function causes the system to crash, explains Tyler Reguly, associate director of security R&D at Fortra. To demonstrate just how simple it is, he adds that I probably shouldnt admit to this, but in dragging and dropping it from system to system today, I accidentally double clicked it, and I crashed my server.
The underlying issue — labeled CVE-2024-6768 — concerns base log files (BLFs), a type of CLFS file that contains metadata used for managing logs.
The CLFS.sys driver, it seems, does not adequately validate the size of data within a particular field — IsnOwnerPage — in the BLF. Any attacker with access to a Windows system can craft a file with incorrect size information to, in effect, confuse the driver. Then, unable to resolve the inconsistency, it triggers KeBugCheckEx, the function that triggers a
blue screen crash
.
CVE-2024-6768 has earned a medium 6.8 out of 10 score on the CVSS scale. It doesnt affect the integrity or confidentiality of data, nor cause any kind of unauthorized system control. It does, however, allow for wanton crashes that can disrupt business operations or potentially cause data loss.
Or, as Reguly explains, it can be paired with other exploits to greater effect. Its a good way for an attacker to maybe cover their tracks, or take down a service where they otherwise shouldnt be able to, and I think thats where the real risk comes in, he says. These systems reboot unexpectedly, [you] ignore the crash because it came back up and its fine now, but that might have been somebody hiding their activity — hiding the fact that they wanted it to reboot so that a new setting would take effect.
Fortra first reported its findings last Dec. 20. After months of back and forth, Reguly says, Microsoft closed their investigation without acknowledging it as a vulnerability or applying a fix. Thus, as of this writing, it persists in Windows systems no matter how updated they are.
In recent weeks, Windows Defender has been identifying Fortras PoC as malware. But besides running Windows Defender and trying to avoid running any binary that exploits it, theres nothing organizations can do to deal with CVE-2024-6768 until Microsoft releases a patch.
A Microsoft spokesperson clarified the companys position on the issue. We have reviewed this report and have found that it does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update, the spokesperson said in a statement. The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user.
This story was updated at 4:21pm ET on Aug. 13 to include Microsofts comments.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
CLFS Bug Crashes Even Updated Windows 10, 11 Systems