A recent discovery has unveiled a vulnerability within the Common Log File System (CLFS) driver that could lead to the notorious blue screen of death on various Windows operating systems. This logging service, which operates in both user and kernel modes, plays a crucial role in helping applications manage and record logs. However, it has also become an attractive target for cybercriminals.
During an exploration of the CLFS driver last year, a researcher from Fortra stumbled upon a flaw related to the improper validation of input data quantities. This oversight enabled the researcher to induce system crashes at will, demonstrating that the proof of concept (PoC) exploit was effective across all tested Windows versions, including Windows 10, 11, and Windows Server 2022, even on the latest updates.
Tyler Reguly, associate director of security R&D at Fortra, succinctly describes the exploit’s simplicity: “It’s very simple to run: run a binary, call a function, and that function causes the system to crash.” He humorously recounted an incident where he inadvertently crashed his server while transferring the exploit between systems, highlighting the ease with which this vulnerability can be exploited.
BSoD From CLFS
The vulnerability, designated as CVE-2024-6768, pertains to base log files (BLFs) within the CLFS framework, which contain essential metadata for log management. The issue arises from the CLFS.sys driver’s failure to properly validate the size of data in the “IsnOwnerPage” field of the BLF. This flaw allows an attacker with access to a Windows system to create a file with misleading size information, leading to confusion within the driver. Consequently, this inconsistency triggers the KeBugCheckEx function, resulting in a blue screen crash.
CVE-2024-6768 has been assigned a “medium” severity score of 6.8 on the CVSS scale. While it does not compromise data integrity or confidentiality, nor does it grant unauthorized control over systems, it poses a risk of disruptive crashes that could hinder business operations or lead to potential data loss. Reguly further notes that this vulnerability could be exploited in conjunction with other attacks, allowing malicious actors to obscure their activities or disrupt services in ways that would otherwise be impossible. “These systems reboot unexpectedly, and you might overlook the crash because it comes back up fine, but that could be someone hiding their activity,” he warns.
No Fix in Sight
Fortra initially reported this vulnerability on December 20 of last year. After several months of discussions, Microsoft concluded its investigation without recognizing the issue as a vulnerability or implementing a fix. As a result, the flaw remains present in Windows systems, regardless of updates.
In recent weeks, Windows Defender has begun flagging Fortra’s PoC as malware. However, aside from utilizing Windows Defender and refraining from executing any binaries that could exploit this vulnerability, organizations currently have no recourse until Microsoft issues a patch. Dark Reading has reached out to Microsoft for further insights regarding CVE-2024-6768.
