Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
A gaping security hole in the popular OS kernel puts user data at risk.
A recent Kaspersky Lab study showed that since June 2022, attackers have been actively exploiting a series of vulnerabilities in the Windows CLFS driver as part of sophisticated hacking attacks. In total, vulnerabilities were identified in five different CLFS drivers, including CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 .
The CLFS system, which has been used since Windows Server 2003 R2 and Windows Vista, is a complex logging mechanism that operates at the OS kernel level. A key element of this system is the base log file (BLF), which contains a lot of metadata.
During the study, Kaspersky Lab specialists found serious flaws in the BLF file format. They consist of kernel memory structures, including memory pointers, which increases the risk of vulnerabilities. Since 2018, more than 30 similar vulnerabilities related to CLFS have been fixed, which confirms a real security threat.
A detailed study of the BLF format revealed that such files consist of records stored in blocks. These blocks have a complex structure, including headers and offset arrays.
Although the CLFS system has been optimized for optimal performance, its complexity and old code are contributing factors to vulnerabilities. Errors in offsets within blocks can lead to serious consequences, including privilege escalation by attackers.
The study highlights the importance of carefully developing and maintaining security systems, especially in key components of operating systems. The questions raised about the security of CLFS require further attention and, possibly, a total revision of approaches to data protection.
A recent Kaspersky Lab study showed that since June 2022, attackers have been actively exploiting a series of vulnerabilities in the Windows CLFS driver as part of sophisticated hacking attacks. In total, vulnerabilities were identified in five different CLFS drivers, including CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252 .
The CLFS system, which has been used since Windows Server 2003 R2 and Windows Vista, is a complex logging mechanism that operates at the OS kernel level. A key element of this system is the base log file (BLF), which contains a lot of metadata.
During the study, Kaspersky Lab specialists found serious flaws in the BLF file format. They consist of kernel memory structures, including memory pointers, which increases the risk of vulnerabilities. Since 2018, more than 30 similar vulnerabilities related to CLFS have been fixed, which confirms a real security threat.
A detailed study of the BLF format revealed that such files consist of records stored in blocks. These blocks have a complex structure, including headers and offset arrays.
Although the CLFS system has been optimized for optimal performance, its complexity and old code are contributing factors to vulnerabilities. Errors in offsets within blocks can lead to serious consequences, including privilege escalation by attackers.
The study highlights the importance of carefully developing and maintaining security systems, especially in key components of operating systems. The questions raised about the security of CLFS require further attention and, possibly, a total revision of approaches to data protection.
