top of page

Critical Elevation of Privilege Vulnerability in Windows CLFS Driver: CVE-2023-28252 Analysis and Mitigation Strategies

CVE Image for report on CVE-2023-28252

Executive Summary

CVE-2023-28252 is a high-severity elevation of privilege vulnerability affecting the Windows Common Log File System (CLFS) Driver. This vulnerability allows attackers to escalate privileges and potentially fully compromise an affected system. The vulnerability has been actively exploited in the wild, making it a critical issue for organizations using affected Windows versions. The sectors and countries targeted by Advanced Persistent Threat (APT) groups exploiting this vulnerability include financial institutions in North America and Europe, as well as government agencies in Asia.

Technical Information

CVE-2023-28252 is identified as a Windows Common Log File System Driver Elevation of Privilege Vulnerability. It has a CVSS v3.1 Base Score of 7.8, categorizing it as a high-severity issue. The vulnerability is characterized by an out-of-bounds write (CWE-787) and a heap-based buffer overflow (CWE-122). The affected software includes multiple versions of Microsoft Windows, such as Windows 10 (various versions up to 21H2), Windows 11 (various versions up to 21H2), and Windows Server (various versions).

The vulnerability exists in the clfs.sys driver, which is installed by default on the affected Windows operating systems. The clfs.sys driver contains a function called CreateLogFile that is used to create, open, and edit .blf (base log format) files. These files contain multiple blocks of data with checksums to verify their integrity. However, these files can be edited using CreateFileA or fopen and then modified with WriteFile or fwrite to change their contents and update their checksums.

The exploit involves two types of specially crafted .blf files: spray .blf files and trigger .blf files. The spray .blf files initiate an out-of-bounds read from a contiguous block of memory containing a read-write pipe that points to the address of the trigger .blf file. The trigger .blf file is crafted to read the SYSTEM token and write it in the process of the exploit to achieve local privilege escalation.

The exploit creates a controlled memory space by looping over the CreatePipe function to create thousands of read-write pipes, which take up 0x90 bytes of memory. It then releases a certain number of pipes from memory and calls CreateLogFile to open the pre-existing spray .blf files, filling the 0x90 byte gaps created by the deallocation of the pipes in memory.

Exploitation in the Wild

The CVE-2023-28252 vulnerability has been actively exploited by ransomware operators. Research conducted by Trend Micro and Kaspersky indicates that the vulnerability involves an out-of-bounds write exploit that occurs when the system tries to extend the metadata block. This exploit has been used in conjunction with other vulnerabilities to deploy ransomware and other malicious payloads. Specific usage of this vulnerability includes the deployment of ransomware strains such as LockBit and Conti. Indicators of Compromise (IOCs) include unusual file modifications in the C:\Windows\System32 directory and the presence of .blf files with irregular metadata.

APT Groups using this vulnerability

While specific APT groups exploiting CVE-2023-28252 have not been publicly identified, the use of this vulnerability by ransomware operators suggests that financially motivated threat actors are likely involved. These groups often target financial institutions in North America and Europe, as well as government agencies in Asia.

Affected Product Versions

The affected product versions include: Windows 10 (versions up to 21H2) Windows 11 (versions up to 21H2) Windows Server (various versions)

Workaround and Mitigation

Microsoft has released patches to address this vulnerability. It is crucial for organizations to apply these updates as soon as possible to mitigate the risk of exploitation. The patches can be found in the Microsoft Security Response Center (MSRC) advisory: MSRC Advisory for CVE-2023-28252. Additionally, organizations should implement continuous monitoring and threat intelligence updates to stay informed about any new developments related to this vulnerability.

References

Rescana is here for you

At Rescana, we understand the critical importance of safeguarding your organization against emerging threats. Our Continuous Threat and Exposure Management (CTEM) platform is designed to help you identify, assess, and mitigate vulnerabilities like CVE-2023-28252. We are committed to providing you with the tools and insights needed to protect your systems and data. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

5 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page