Within the final yr and a half, attackers have exploited at the very least 5 vulnerabilities — together with 4 zero-days — in a delicate, kernel-level Home windows driver.
A collection of reviews revealed by Kaspersky’s Securelist this week lays out not only a handful of bugs, however a bigger, extra systemic situation within the present implementation of the Home windows Frequent Log File System (CLFS).
CLFS is a high-performance, general-purpose logging system out there for user- or kernel-mode software program purchasers. Its kernel entry makes it eminently helpful for hackers looking for low-level system privileges, and its performance-oriented design has left a collection of safety holes in its wake lately, which ransomware actors specifically have pounced on.
“Kernel drivers ought to be very cautious when dealing with information, as a result of if a vulnerability is found, attackers can exploit it and achieve system privileges,” Boris Larin, principal safety researcher at Kaspersky’s International Analysis and Evaluation Workforce, tells Darkish Studying. Sadly, “design selections in Home windows CLFS have made it almost not possible to securely parse these CLFS information, which led to the emergence of an enormous variety of comparable vulnerabilities.”
The Downside With Home windows CLFS
Win32k-level zero-days aren’t totally unusual, Larin conceded in his analysis. Nevertheless, he wrote, “we had by no means seen so many CLFS driver exploits being utilized in lively assaults earlier than, after which out of the blue there are such a lot of of them captured in only one yr. Is there one thing significantly improper with the CLFS driver?”
Nothing specifically modified concerning the CLFS driver this yr. Reasonably, attackers appear to have simply now recognized what was improper with it this complete time: It leans too far left in that inescapable, everlasting steadiness between efficiency and safety.
“CLFS is probably manner too ‘optimized for efficiency,'” Larin wrote, detailing the entire numerous methods the driving force prioritizes it over safety. “It might be higher to have an affordable file format as a substitute of a dump of kernel constructions written to a file. All of the work with these kernel constructions (with pointers) occurs proper there within the blocks learn from disk. As a result of modifications are made to the blocks and kernel constructions saved there, and people modifications must be flushed to disk, the code parses the blocks time and again each time it must entry one thing.”
He added, “All this parsing is completed utilizing relative offsets, which may level to any location inside a block. If one in every of these offsets turns into corrupted in reminiscence throughout execution, the results could be catastrophic. However maybe worst of all, offsets within the BLF file on disk could be manipulated in such a manner that completely different constructions overlap, resulting in unexpected penalties.”
The sum of all of those design decisions is efficient information and occasion logging, but additionally loads of simply exploitable bugs. In 2023 alone there have been CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 — all high-severity, 7.8-rated on the CVSS scale — used as zero-days, in addition to a fifth vulnerability that was patched earlier than any related malicious exercise was noticed within the wild. All of those have been leveraged by attackers, Kaspersky discovered — together with, for instance, the Nokoyawa ransomware group’s exploitation of CVE-2023-28252.
With out some kind of redesign, CLFS might properly proceed to supply escalation alternatives for hackers. To arrange for that, Larin suggests, “organizations ought to give attention to implementing the perfect safety practices: at all times set up safety updates on time, set up safety merchandise on all endpoints, prohibit entry to their servers and pay large consideration to anti-virus detections coming from the servers, prepare workers in order that they don’t grow to be victims of spear-phishing.”
