Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver

December 22, 2023

The Windows Common Log File System (CLFS), a high-performance logging system available for user- or kernel-mode software clients, has been exploited by attackers in recent years due to its kernel access and performance-oriented design. The driver's design has led to a series of exploitable vulnerabilities, which have been particularly attractive to ransomware actors. Boris Larin, a principal security researcher at Kaspersky's Global Research and Analysis Team, explains that 'Kernel drivers should be very careful when handling files, because if a vulnerability is discovered, attackers can exploit it and gain system privileges'. He further criticizes the design decisions in Windows CLFS, stating that they've made it nearly impossible to securely parse these CLFS files, leading to a rise in similar vulnerabilities.

Despite the frequency of Win32k-level zero-days, the surge of CLFS driver exploits used in active attacks has been unprecedented. The CLFS driver's design, which prioritizes performance over security, has been identified as the main issue. Larin points out that the driver's format is more akin to a 'dump of kernel structures written to a file', and its handling of these structures can lead to catastrophic consequences if an offset becomes corrupted.

The driver's design has resulted in a number of easily exploitable bugs. In 2023, four high-severity vulnerabilities - CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 - were used as zero-days, and a fifth vulnerability was patched before any associated malicious activity was observed. All of these were exploited by attackers, including the Nokoyawa ransomware group's use of CVE-2023-28252.

Without a redesign of CLFS, it may continue to provide opportunities for hackers to escalate their attacks. Larin advises organizations to implement best security practices, such as timely installation of security updates, installation of security products on all endpoints, restricted server access, and employee training to avoid spear-phishing.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.