A newly discovered vulnerability, identified as CVE-2024-6768, has surfaced in the Common Log File System (CLFS.sys) driver of Windows.
This issue, identified by Fortra cybersecurity researcher, Ricardo Narvaja, highlights a flaw that could allow an unprivileged user to cause a system crash, resulting in Blue Screen of Death (BSOD).
The vulnerability exists due to improper input data validation, leading to an unrecoverable system state.
The affected CLFS.sys driver is integral to Windows 10 and Windows 11 operating systems, meaning all versions of these operating systems are susceptible, regardless of updates.
Overview of CVE-2024-6768 Vulnerability in Windows CLFS.sys Driver
The flaw allows a crafted value in a specific log file format, such as a .BLF file, to exploit the system and force it into a crash. The exploit is easy to execute with low privileges and does not require user interaction.
Narvaja said the vulnerability poses a significant risk as it can lead to system instability and denial of service (DoS) attacks. An attacker could exploit this flaw to repeatedly crash affected systems, potentially causing data loss and disruption to operations.
The researcher reported the vulnerability and documented the process of reproducing the crash, including creating a Proof of Content (PoC) vector.
CVE-2024-6768 is classified with a CVSS base score of 6.8, indicating a medium severity level. The vulnerability is categorized under the Common Weakness Enumeration (CWE) as ‘Improper Validation of Specified Quantity in Input’ (CWE-1284).
The attack vector is local, meaning it must be executed on the system itself, and the attack complexity is low, making it accessible for less skilled attackers.
The exploit takes advantage of a specific offset within the CLFS client context structure. When executed, PoC exploits the vulnerability, manipulating the system into an unrecoverable state that triggers the KeBugCheckEx function call, a core Windows mechanism designed to handle critical errors.
This call results in the BSoD, which forces the system to restart. The vulnerability’s simplicity and the potential for repeated exploitation make it a crucial concern for organizations relying on Windows systems.
Read more on the BSoD: CrowdStrike Windows Outage: What We Can Learn
Narvaja encouraged researchers and professionals to keep systems updated and monitor for unusual activity to reduce the risk of exploitation.