December 22, 2023 at 03:14PM
Attackers have exploited five vulnerabilities, including four zero-days, in a sensitive Windows kernel-level driver, exposing a systemic issue in Windows CLFS. The high-performance logging system, favored by hackers for low-level system privileges, suffers from design flaws, leading to a series of easily exploited bugs. Without redesign, it poses ongoing security risks.
The meeting notes highlight the concerns raised by Kaspersky’s Securelist regarding the vulnerabilities in the Windows Common Log File System (CLFS) and the associated kernel-level Windows driver. The vulnerabilities, including zero-days, have led to a systemic issue in the current implementation of CLFS, making it a target for attackers seeking low-level system privileges.
Boris Larin, principal security researcher at Kaspersky, emphasized the dangers posed by the design decisions in Windows CLFS, which have led to numerous exploitable vulnerabilities. The performance-oriented design of CLFS has resulted in a multitude of security holes, with ransomware actors taking advantage of these weaknesses.
The report identified several high-severity vulnerabilities, including CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252, which were all exploited as zero-days. Additionally, the Nokoyawa ransomware group leveraged CVE-2023-28252.
The root cause of the vulnerabilities is attributed to the over-optimization of CLFS for performance at the expense of security. It was noted that the parsing of the files using relative offsets can lead to catastrophic consequences if corrupted, and the design choices have resulted in effective logging but also numerous exploitable bugs.
To address the ongoing risks, Larin recommended organizations to prioritize best security practices, including timely installation of security updates, implementation of security products on all endpoints, access restrictions on servers, and employee training to prevent falling victim to spear-phishing attacks. Without redesigning CLFS, the potential for escalation opportunities for hackers remains a significant concern.