Researchers Reveal Detail for Windows Zero-Day Vulnerability Patched Last Month

Details have emerged about a now-patched security flaw in
Windows Common Log File System (CLFS) that could be exploited by an
attacker to gain elevated permissions on compromised machines.

Tracked as CVE-2022-37969[1]
(CVSS score: 7.8), the issue was addressed by Microsoft as part of
its Patch Tuesday updates for September 2022, while also noting
that it was being actively exploited in the wild.

“An attacker must already have access and the ability to run
code on the target system,” the company noted[2]
in its advisory. “This technique does not allow for remote code
execution in cases where the attacker does not already have that
ability on the target system.”

It also credited researchers from CrowdStrike, DBAPPSecurity,
Mandiant, and Zscaler for reporting the vulnerability without
delving into additional specifics surrounding the nature of the
attacks.

CyberSecurity

Now, the Zscaler ThreatLabz researcher team has disclosed[3]
that it captured an in-the-wild exploit for the then zero-day on
September 2, 2022.

“The cause of the vulnerability is due to the lack of a strict
bounds check on the field cbSymbolZone in the Base Record Header
for the base log file (BLF) in CLFS.sys,” the cybersecurity firm
said in a root cause analysis shared with The Hacker News.

“If the field cbSymbolZone is set to an invalid offset, an
out-of-bounds write[4]
will occur at the invalid offset.”

Windows Zero-Day Vulnerability

CLFS is a general-purpose logging service[5] that can be used by
software applications running in both user-mode or kernel-mode to
record data as well as events and optimize log access.

Some of the use cases associated with CLFS include online
transaction processing (OLTP), network events logging, compliance
audits, and threat analysis.

According to Zscaler, the vulnerability is rooted in a metadata
block called base record that’s present in a base log file[6], which is generated when
a log file is created using the CreateLogFile() function.

CyberSecurity

“[Base record] contains the symbol tables[7]
that store information on the various client, container and
security contexts associated with the Base Log File, as well as
accounting information on these,” according to Alex
Ionescu
[8], chief architect at
Crowdstrike.

As a result, a successful exploitation of CVE-2022-37969 via a
specially crafted base log file could lead to memory corruption,
and by extension, induce a system crash (aka blue screen of death
or BSoD[9]) in a reliable
manner.

That said, a system crash is just one of the outcomes that
arises out of leveraging the vulnerability, for it could also be
weaponized to achieve privilege escalation.

Zscaler has further made available proof-of-concept (PoC)
instructions to trigger the security hole, making it essential that
users of Windows upgrade to the latest version to mitigate
potential threats.

References

  1. ^
    CVE-2022-37969
    (thehackernews.com)
  2. ^
    noted
    (msrc.microsoft.com)
  3. ^
    disclosed
    (www.zscaler.com)
  4. ^
    out-of-bounds write
    (cwe.mitre.org)
  5. ^
    general-purpose logging service
    (learn.microsoft.com)
  6. ^
    base log
    file
    (learn.microsoft.com)
  7. ^
    symbol
    tables
    (en.wikipedia.org)
  8. ^
    Alex
    Ionescu
    (github.com)
  9. ^
    BSoD
    (en.wikipedia.org)

Read more

Leave a Reply