Over the past 18 months, malevolent actors have taken advantage of a series of vulnerabilities, including four zero-day exploits, within a critical Windows kernel-level driver. Reports from Kaspersky's Securelist this week not only highlight specific flaws but underscore a broader, systemic issue within the current framework of the Windows Common Log File System (CLFS).
CLFS, designed as a high-performance logging system accessible for user- or kernel-mode software clients, possesses kernel-level access that proves enticing for hackers aiming to acquire low-level system privileges. Its performance-centric design, however, has resulted in multiple security vulnerabilities in recent years, with ransomware actors exploiting these weaknesses.
Boris Larin, principal security researcher at Kaspersky's Global Research and Analysis Team, emphasizes the need for caution in handling files within kernel drivers. He explains that the design choices in Windows CLFS have made it nearly impossible to securely parse CLFS files, leading to a surge in similar vulnerabilities.
Larin points out a noteworthy observation: while zero-days at the Win32k level are not uncommon, the prevalence of CLFS driver exploits in active attacks within a single year raises concerns. He questions whether there is an inherent flaw in the CLFS driver, suggesting that it might be excessively optimized for performance at the expense of security.
The crux of the issue, Larin notes, lies in the CLFS driver's heavy emphasis on performance optimization, resulting in a file format that prioritizes performance over a secure structure. The constant parsing of kernel structures using relative offsets creates vulnerabilities, especially if these offsets become corrupted in memory during execution. Furthermore, manipulation of offsets in the on-disk BLF file can lead to overlapping structures and unforeseen consequences.
Throughout 2023, several high-severity vulnerabilities—CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252—all with a 7.8 rating on the CVSS scale, were exploited as zero-days. Kaspersky identified malicious activity associated with these vulnerabilities, including the Nokoyawa ransomware group's exploitation of CVE-2023-28252.
Unless there is a redesign, CLFS remains susceptible to exploitation by hackers seeking escalation opportunities. Larin recommends organizations adopt best security practices, including timely installation of security updates, deploying security products on all endpoints, restricting server access, closely monitoring antivirus detections, and providing employee training to prevent falling victim to spear-phishing attacks.