{"id":4817,"date":"2024-08-12T13:00:00","date_gmt":"2024-08-12T18:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/clfs-bug-crashes-even-updated-windows-10-11-systems"},"modified":"2024-08-12T13:00:00","modified_gmt":"2024-08-12T18:00:00","slug":"clfs-bug-crashes-even-updated-windows-10-11-systems","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/12\/clfs-bug-crashes-even-updated-windows-10-11-systems\/","title":{"rendered":"CLFS Bug Crashes Even Updated Windows 10, 11 Systems"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A simple bug in the Common Log File System (CLFS) driver can instantly trigger the infamous blue screen of death across any recent versions of Windows.<\/span><\/p>\n

CLFS is a user- and kernel-mode logging service that helps applications record and manage logs. It’s also a popular <\/span>target for hacking<\/a><\/span>.<\/span><\/p>\n

While experimenting with its driver last year, a Fortra researcher discovered an improper validation of specified quantities in input data which allowed him to trigger system crashes at will. His proof of concept (PoC) exploit worked across all versions of Windows tested \u2014 including 10, 11, and Windows Server 2022 \u2014 even in the most up-to-date systems.<\/span><\/p>\n

“It’s very simple to run: run a binary, call a function, and that function causes the system to crash,” explains Tyler Reguly, associate director of security R&D at Fortra. To demonstrate just how simple it is, he adds that “I probably shouldn’t admit to this, but in dragging and dropping it from system to system today, I accidentally double clicked it, and I crashed my server.”<\/span><\/p>\n

BSoD From CLFS<\/h2>\n

The underlying issue \u2014 labeled CVE-2024-6768 \u2014 concerns base log files (BLFs), a type of CLFS file that contains metadata used for managing logs.<\/span><\/p>\n

The CLFS.sys driver, it seems, does not adequately validate the size of data within a particular field \u2014 “IsnOwnerPage” \u2014 in the BLF. Any attacker with access to a Windows system can craft a file with incorrect size information to, in effect, confuse the driver. Then, unable to resolve the inconsistency, it triggers KeBugCheckEx, the function that triggers a <\/span>blue screen crash<\/a><\/span>.<\/span><\/p>\n

CVE-2024-6768 has earned a “medium” 6.8 out of 10 score on the CVSS scale. It doesn’t affect the integrity or confidentiality of data, nor cause any kind of unauthorized system control. It does, however, allow for wanton crashes that can disrupt business operations or potentially cause data loss.<\/span><\/p>\n

Or, as Reguly explains, it can be paired with other exploits to greater effect. “It’s a good way for an attacker to maybe cover their tracks, or take down a service where they otherwise shouldn’t be able to, and I think that’s where the real risk comes in,” he says. “These systems reboot unexpectedly, [you] ignore the crash because it came back up and it’s fine now, but that might have been somebody hiding their activity \u2014 hiding the fact that they wanted it to reboot so that a new setting would take effect.”<\/span><\/p>\n

No Fix in Sight<\/h2>\n

Fortra first reported its findings last Dec. 20. After months of back and forth, Reguly says, Microsoft closed their investigation without acknowledging it as a vulnerability or applying a fix. Thus, as of this writing, it persists in Windows systems no matter how updated they are.<\/span><\/p>\n

In recent weeks, Windows Defender has been identifying Fortra’s PoC as malware. But besides running Windows Defender and trying to avoid running any binary that exploits it, there’s nothing organizations can do to deal with CVE-2024-6768 until Microsoft releases a patch.<\/span><\/p>\n

Dark Reading has reached out to Microsoft for its input on CVE-2024-6768.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A simple bug in the Common Log File System (CLFS)<\/p>\n","protected":false},"author":12,"featured_media":4818,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4817","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=2560%2C1441&ssl=1",2560,1441,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=1536%2C865&ssl=1",1536,865,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=2048%2C1153&ssl=1",2048,1153,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/clfs-bug-crashes-even-updated-windows-10-11-systems-scaled.jpg?fit=2560%2C1441&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4817","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4817"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4817\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4818"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4817"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4817"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4817"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}