Less than a month has passed since an issue with a CrowdStrike update left millions of Windows machines struggling to break free from a blue screen of death loop, but now a new blue screen threat has been revealed. An August 12 report from cybersecurity software company Fortra has detailed how a newly uncovered Windows vulnerability can lead to yet another blue screen of death. What’s more, the researchers said, all versions of Windows 10 and Windows 11 are affected, even if all current security updates have been installed.
CVE-2024-6768 Explained
The security vulnerability, officially cataloged as CVE-2024-6768, concerns the common log file system Windows driver. When faced with an improper validation of specified quantities within input data, CVE-2024-6768 will trigger a function known as KeBugCheckEx and result in the dreaded blue screen of death. Something that Windows users are only too familiar with following the recent CrowdStrike issues that produced the same blue screen end result. Despite the ultimate payload of an exploit being pretty serious and requiring no user interaction, because the attack vector is local rather than remote, the vulnerability is graded as being of medium risk.
Which Versions Of Windows Are Affected By CVE-2024-6768?
The CVE-2024-6768 blue screen of death can impact all versions of Windows 10 and Windows 11, as well as Windows Server 2022, regardless of whether they have been updated with all security patches to date. The researchers have shown that a user with no privileges can induce a system crash by using a specially crafted file.
“The potential problems include system instability and denial of service,” Ricardo Narvaja, principal exploit writer with security company Fortra, and the author of the report, said, “malicious users can exploit this vulnerability to repeatedly crash affected systems, disrupting operations and potentially causing data loss.”
The Windows Blue Screen Of Death CVE-2024-6768 Research Timeline
Tyler Reguly, Fortra’s associate director of security research and development, told me that Microsoft was first made aware of the issue in December 2023. However, the company “became unresponsive in February 2024,” Reguly said, adding that Microsoft stated it could not reproduce the vulnerability. This despite, Reguly said, Fortra researchers reproducing the results in a proof of concept across “dozens of systems both virtual and physical.” Due to the nature of the vulnerability, there is no workaround or mitigation that the researchers could identify, and Reguly said, “We do not expect to see a fix from them.” Indeed, it would seem that the reason for publishing the vulnerability report today, in part at least, is in the hope that Microsoft will see how easily the vulnerability can be exploited and hopefully “explore a fix moving forward.”
I have reached out to Microsoft for a statement.
The Research Timeline In Full
- December 20, 2023 – Reported to Microsoft with a Proof-of-Concept exploit.
- January 8, 2024 – Microsoft responded that its engineers could not reproduce the vulnerability.
- January 12, 2024 – Fortra provided a screenshot showing a version of Windows running the January Patch Tuesday updates and a memory dump of the crash.
- February 21, 2024 – Microsoft replied that it still could not reproduce the issue and so was closing the case.
- February 28, 2024 – Fortra reproduced the issue again with the February Patch Tuesday updates installed and provided additional evidence, including a video of the crash condition.
- June 19, 2024 – Fortra followed up to say that it intended to pursue a CVE and publish the research.
- July 16, 2024 – Fortra shared that it had reserved CVE-2024-6768 and would be publishing soon.
- August 8, 2024 – PoC was reproduced on the latest updates (July Patch Tuesday) of Windows 11 and Server 2022 to produce screenshots to share with media.
- August 12, 2024 – Planned CVE publication date.
The Implications Of CVE-2024-6768 For Windows Users
Tyler Reguly told me that it is unlikely the vulnerability will exploited in the wild as both use case and impact are somewhat limited, not least as the blue screen of death is recoverable. However, it remains a fact that a low-privileged user, without access to reboot the system, can now do precisely that without warning, even if multiple users are logged in at the time. “Where this will see the likelihood of use is in cases where a malicious insider wishes to take down a multi-user server simply to cause havoc,’ Reguly said, “or an attacker who wants to reboot a system but doesn’t have a high privilege account or does not want a log of a user-initiated reboot.”
The average Windows user need not lose too much sleep over this one. Organizations, on the other hand, should take note and may be concerned about the apparent lack of movement towards patching the vulnerability by Microsoft. “The best case scenario for this issue,” Reguly concluded, “is that Microsoft sees the release and decides to release an update to resolve the vulnerability.”
Microsoft hasn’t had a lot of luck when not comes to blue screen of death incidents lately. As well as the aforementioned CrowdStrike update which impacted Microsoft users despite not being the Redmond giant’s fault, there was another blue screen issue that was caused by a July 2024 security update. This saw a warning issued that Windows devices “might boot into BitLocker recovery” and impact users with encryption enabled.