February 1, 2024 at 10:42AM
Free unofficial patches are available for the Windows zero-day flaw, EventLogCrasher, impacting all versions from Windows 7 to Windows 11 and server editions. The vulnerability allows attackers to remotely crash the Event Log service, impacting Security Information and Event Management systems. 0patch has launched micropatches for affected systems until an official fix is available.
The key takeaways from the meeting notes are:
1. A new Windows zero-day flaw named EventLogCrasher has been discovered, enabling attackers to remotely crash the Event Log service on devices within the same Windows domain.
2. All versions of Windows, from Windows 7 to Windows 11, and from Server 2008 R2 to Server 2022, are affected by this vulnerability.
3. The vulnerability was reported to the Microsoft Security Response Center team by a security researcher known as Florian. Microsoft has categorized it as not meeting servicing requirements and as a duplicate of a 2022 bug. Varonis has also disclosed a similar flaw named LogCrusher.
4. Attackers can exploit the zero-day in default Windows Firewall configurations with network connectivity to the target device and valid credentials.
5. EventLogCrasher crash occurs in wevtsvc!VerifyUnicodeString when a malformed UNICODE_STRING object is sent to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol.
6. The crash of the Event Log service directly impacts Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) as they can no longer ingest new events to trigger security alerts.
7. The availability of unofficial patches for most affected Windows versions has been announced by the 0patch micropatching service as a temporary measure until official security updates are released by Microsoft.
8. The unofficial micropatches can be installed for free by creating a 0patch account and installing the 0patch agent on the affected Windows device. The micropatch will be applied automatically without requiring a system restart, unless there is a custom patching policy in place to block it.
These takeaways provide a clear summary of the key points discussed in the meeting.