CLFS Bug Crashes Even Updated Windows 10, 11 Systems

UPDATE

A simple bug in the Common Log File System (CLFS) driver can instantly trigger the infamous blue screen of death across any recent versions of Windows.

CLFS is a user- and kernel-mode logging service that helps applications record and manage logs. It's also a popular target for hacking.

While experimenting with its driver last year, a Fortra researcher discovered an improper validation of specified quantities in input data which allowed him to trigger system crashes at will. His proof of concept (PoC) exploit worked across all versions of Windows tested — including 10, 11, and Windows Server 2022 — even in the most up-to-date systems.

"It's very simple to run: run a binary, call a function, and that function causes the system to crash," explains Tyler Reguly, associate director of security R&D at Fortra. To demonstrate just how simple it is, he adds that "I probably shouldn't admit to this, but in dragging and dropping it from system to system today, I accidentally double clicked it, and I crashed my server."

BSoD From CLFS

The underlying issue — labeled CVE-2024-6768 — concerns base log files (BLFs), a type of CLFS file that contains metadata used for managing logs.

The CLFS.sys driver, it seems, does not adequately validate the size of data within a particular field — "IsnOwnerPage" — in the BLF. Any attacker with access to a Windows system can craft a file with incorrect size information to, in effect, confuse the driver. Then, unable to resolve the inconsistency, it triggers KeBugCheckEx, the function that triggers a blue screen crash.

CVE-2024-6768 has earned a "medium" 6.8 out of 10 score on the CVSS scale. It doesn't affect the integrity or confidentiality of data, nor cause any kind of unauthorized system control. It does, however, allow for wanton crashes that can disrupt business operations or potentially cause data loss.

Or, as Reguly explains, it can be paired with other exploits to greater effect. "It's a good way for an attacker to maybe cover their tracks, or take down a service where they otherwise shouldn't be able to, and I think that's where the real risk comes in," he says. "These systems reboot unexpectedly, [you] ignore the crash because it came back up and it's fine now, but that might have been somebody hiding their activity — hiding the fact that they wanted it to reboot so that a new setting would take effect."

No Fix in Sight

Fortra first reported its findings last Dec. 20. After months of back and forth, Reguly says, Microsoft closed their investigation without acknowledging it as a vulnerability or applying a fix. Thus, as of this writing, it persists in Windows systems no matter how updated they are.

In recent weeks, Windows Defender has been identifying Fortra's PoC as malware. But besides running Windows Defender and trying to avoid running any binary that exploits it, there's nothing organizations can do to deal with CVE-2024-6768 until Microsoft releases a patch.

A Microsoft spokesperson clarified the company's position on the issue. "We have reviewed this report and have found that it does not meet the bar for immediate servicing under our severity classification guidelines and we will consider it for a future product update," the spokesperson said in a statement. "The technique described requires an attacker to have already gained code execution capabilities on the target machine and it does not grant elevated permissions. We encourage customers to practice good computing habits online, including exercising caution when running programs that are not recognized by the user."

This story was updated at 4:21pm ET on Aug. 13 to include Microsoft's comments.