The new vulnerability renders security systems useless.
A new Windows vulnerability, called EventLogCrasher, allows an attacker to remotely disable the event log service on devices in the same Windows domain. To do this, the attacker only needs to have a network connection to the target device and any valid credentials (even with low privileges).
The vulnerability affects all versions of Windows, from Windows 7 to the latest Windows 11 and from Server 2008 R2 to Server 2022. The discovery of the flaw is attributed to a security researcher known as Florian, who reported it to the Microsoft Security Response Center (MSRC). Florian also published a Proof-of-Concept (PoC) attack. Microsoft noted that this issue does not meet the requirements for elimination and is a duplicate of the vulnerability discovered in 2022, without providing further details.
A similar vulnerability called LogCrusher, disclosed by Varonis in 2022, is also not yet fixed and allows any domain user to remotely cause the application event log to fail on any Windows computer.
As Florian explains, the crash happens in wevtsvc!VerifyUnicodeString, when an attacker sends an invalid UNICODE_STRING object to the ElfrRegisterEventSourceW method, accessible via the Remote Procedure Call (RPC) - based EventLog protocol.
The consequences of a failure of the event log service are serious, as it directly affects the Security Information and Event Management (SIEM) and Intrusion Detection System (IDS) systems, which cannot receive new events to activate the alarm.
Fortunately, security and system events are queued in memory and will be added to the event logs once the log service is available again. However, such events in the queue may not be recoverable if the queue becomes full or the attacked system shuts down.
The 0patch micropatch service noted that an attacker with low privileges can turn off the event log service both on the local machine and on any other Windows computer on the network where they can authenticate. In a Windows domain, this means all computers in the domain, including domain controllers. During service downtime, any detection mechanisms that use Windows logs will be blind, allowing the attacker to conduct further attacks, such as password guessing and exploiting remote services.
0patch has released unofficial fixes for most affected versions of Windows, available for free until Microsoft releases official security updates to address the vulnerability:
To install the necessary patches on your Windows system, create a 0patch account and install the 0patch agent on your device. After the agent is launched, the micropatch will be applied automatically.
A new Windows vulnerability, called EventLogCrasher, allows an attacker to remotely disable the event log service on devices in the same Windows domain. To do this, the attacker only needs to have a network connection to the target device and any valid credentials (even with low privileges).
The vulnerability affects all versions of Windows, from Windows 7 to the latest Windows 11 and from Server 2008 R2 to Server 2022. The discovery of the flaw is attributed to a security researcher known as Florian, who reported it to the Microsoft Security Response Center (MSRC). Florian also published a Proof-of-Concept (PoC) attack. Microsoft noted that this issue does not meet the requirements for elimination and is a duplicate of the vulnerability discovered in 2022, without providing further details.
A similar vulnerability called LogCrusher, disclosed by Varonis in 2022, is also not yet fixed and allows any domain user to remotely cause the application event log to fail on any Windows computer.
As Florian explains, the crash happens in wevtsvc!VerifyUnicodeString, when an attacker sends an invalid UNICODE_STRING object to the ElfrRegisterEventSourceW method, accessible via the Remote Procedure Call (RPC) - based EventLog protocol.
The consequences of a failure of the event log service are serious, as it directly affects the Security Information and Event Management (SIEM) and Intrusion Detection System (IDS) systems, which cannot receive new events to activate the alarm.
Fortunately, security and system events are queued in memory and will be added to the event logs once the log service is available again. However, such events in the queue may not be recoverable if the queue becomes full or the attacked system shuts down.
The 0patch micropatch service noted that an attacker with low privileges can turn off the event log service both on the local machine and on any other Windows computer on the network where they can authenticate. In a Windows domain, this means all computers in the domain, including domain controllers. During service downtime, any detection mechanisms that use Windows logs will be blind, allowing the attacker to conduct further attacks, such as password guessing and exploiting remote services.
0patch has released unofficial fixes for most affected versions of Windows, available for free until Microsoft releases official security updates to address the vulnerability:
- Windows 11 v22H2, v23H2-fully updated;
- Windows 11 v21H2-fully updated;
- Windows 10 v22H2-fully updated;
- Windows 10 v21H2-fully updated;
- Windows 10 v21H1-fully updated;
- Windows 10 v20H2-fully updated;
- Windows 10 v2004-fully updated;
- Windows 10 v1909-fully updated;
- Windows 10 v1809-fully updated;
- Windows 10 v1803-fully updated;
- Windows 7-without ESU, ESU1, ESU2, ESU3;
- Windows Server 2022-fully updated;
- Windows Server 2019-fully updated;
- Windows Server 2016-fully updated;
- Windows Server 2012-without ESU, ESU1;
- Windows Server 2012 R2-without ESU, ESU1;
- Windows Server 2008 R2-without ESU, ESU1, ESU2, ESU3, ESU4.
To install the necessary patches on your Windows system, create a 0patch account and install the 0patch agent on your device. After the agent is launched, the micropatch will be applied automatically.
