In the final 12 months and a half, attackers have exploited a minimum of 5 vulnerabilities — together with 4 zero-days — in a delicate, kernel-level Windows driver.
A collection of reviews printed by Kaspersky’s Securelist this week lays out not only a handful of bugs, however a bigger, extra systemic challenge within the present implementation of the Windows Common Log File System (CLFS).
CLFS is a high-performance, general-purpose logging system out there for user- or kernel-mode software program purchasers. Its kernel entry makes it eminently helpful for hackers searching for low-level system privileges, and its performance-oriented design has left a collection of safety holes in its wake lately, which ransomware actors particularly have pounced on.
“Kernel drivers needs to be very cautious when dealing with information, as a result of if a vulnerability is found, attackers can exploit it and achieve system privileges,” Boris Larin, principal safety researcher at Kaspersky’s Global Research and Analysis Team, tells Dark Reading. Unfortunately, “design selections in Windows CLFS have made it almost unimaginable to securely parse these CLFS information, which led to the emergence of an enormous variety of related vulnerabilities.”
The Problem With Windows CLFS
Win32k-level zero-days aren’t solely unusual, Larin conceded in his analysis. However, he wrote, “we had by no means seen so many CLFS driver exploits being utilized in lively assaults earlier than, after which all of a sudden there are such a lot of of them captured in only one 12 months. Is there one thing significantly mistaken with the CLFS driver?”
Nothing particularly modified concerning the CLFS driver this 12 months. Rather, attackers appear to have simply now recognized what was mistaken with it this entire time: It leans too far left in that inescapable, everlasting steadiness between efficiency and safety.
“CLFS is maybe means too ‘optimized for efficiency,'” Larin wrote, detailing all the varied methods the driving force prioritizes it over safety. “It can be higher to have an inexpensive file format as a substitute of a dump of kernel constructions written to a file. All the work with these kernel constructions (with pointers) occurs proper there within the blocks learn from disk. Because adjustments are made to the blocks and kernel constructions saved there, and people adjustments should be flushed to disk, the code parses the blocks over and over each time it must entry one thing.”
He added, “All this parsing is finished utilizing relative offsets, which may level to any location inside a block. If one in all these offsets turns into corrupted in reminiscence throughout execution, the results will be catastrophic. But maybe worst of all, offsets within the BLF file on disk will be manipulated in such a means that completely different constructions overlap, resulting in unexpected penalties.”
The sum of all of those design decisions is efficient knowledge and occasion logging, but additionally loads of simply exploitable bugs. In 2023 alone there have been CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 — all high-severity, 7.8-rated on the CVSS scale — used as zero-days, in addition to a fifth vulnerability that was patched earlier than any related malicious exercise was noticed within the wild. All of those had been leveraged by attackers, Kaspersky discovered — together with, for instance, the Nokoyawa ransomware group’s exploitation of CVE-2023-28252.
Without some kind of redesign, CLFS might nicely proceed to supply escalation alternatives for hackers. To put together for that, Larin suggests, “organizations ought to concentrate on implementing the most effective safety practices: all the time set up safety updates on time, set up safety merchandise on all endpoints, prohibit entry to their servers and pay large consideration to anti-virus detections coming from the servers, prepare staff in order that they don’t change into victims of spear-phishing.”