A newly identified vulnerability, designated as CVE-2024-6768, has emerged within the Common Log File System (CLFS.sys) driver integral to Windows operating systems. This discovery, made by Fortra cybersecurity researcher Ricardo Narvaja, reveals a significant flaw that could enable an unprivileged user to induce a system crash, resulting in the dreaded Blue Screen of Death (BSOD).
The root of this vulnerability lies in improper input data validation, which can lead the system into an unrecoverable state. The CLFS.sys driver is essential for both Windows 10 and Windows 11, making all versions of these operating systems vulnerable, irrespective of any updates that may have been applied.
Overview of CVE-2024-6768 Vulnerability in Windows CLFS.sys Driver
This flaw permits a crafted value within a specific log file format, such as a .BLF file, to exploit the system and trigger a crash. Notably, the exploit can be executed with minimal privileges and does not necessitate user interaction, enhancing its potential threat.
Narvaja has emphasized the considerable risk posed by this vulnerability, as it can lead to system instability and denial of service (DoS) attacks. An attacker could leverage this flaw to repeatedly crash affected systems, potentially resulting in data loss and operational disruptions.
The researcher has meticulously reported the vulnerability and outlined the steps required to reproduce the crash, including the creation of a Proof of Concept (PoC) vector.
CVE-2024-6768 has been assigned a CVSS base score of 6.8, indicating a medium severity level. It falls under the Common Weakness Enumeration (CWE) category as ‘Improper Validation of Specified Quantity in Input’ (CWE-1284).
The attack vector is classified as local, meaning it must be executed directly on the system, and the complexity of the attack is low, making it accessible even to less experienced attackers.
The exploit targets a specific offset within the CLFS client context structure. Upon execution, the PoC manipulates the system into an unrecoverable state, triggering the KeBugCheckEx function call—a fundamental Windows mechanism designed to manage critical errors.
This function call results in the BSOD, compelling the system to restart. The simplicity of the exploit, coupled with the potential for repeated attacks, underscores the urgency for organizations that depend on Windows systems to address this vulnerability promptly.
Read more on the BSoD: CrowdStrike Windows Outage: What We Can Learn
Narvaja has urged researchers and IT professionals to maintain updated systems and monitor for any unusual activity to mitigate the risk of exploitation.
