Details have emerged about a now-patched security flaw in Windows Common Log File System (CLFS) that could be exploited by an attacker to gain elevated permissions on compromised machines.
Tracked as CVE-2022-37969 (CVSS score: 7.8), the issue was addressed by Microsoft as part of its Patch Tuesday updates for September 2022, while also noting that it was being actively exploited in the wild.
“An attacker must already have access and the ability to run code on the target system,” the company noted in its advisory. “This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system.”
It also credited researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the vulnerability without delving into additional specifics surrounding the nature of the attacks.
Now, the Zscaler ThreatLabz researcher team has disclosed that it captured an in-the-wild exploit for the then zero-day on September 2, 2022.
“The cause of the vulnerability is due to the lack of a strict bounds check on the field cbSymbolZone in the Base Record Header for the base log file (BLF) in CLFS.sys,” the cybersecurity firm said in a root cause analysis shared with The Hacker News.
“If the field cbSymbolZone is set to an invalid offset, an out-of-bounds write will occur at the invalid offset.”
CLFS is a general-purpose logging service that can be used by software applications running in both user-mode or kernel-mode to record data as well as events and optimize log access.
Some of the use cases associated with CLFS include online transaction processing (OLTP), network events logging, compliance audits, and threat analysis.
According to Zscaler, the vulnerability is rooted in a metadata block called base record that’s present in a base log file, which is generated when a log file is created using the CreateLogFile() function.
“[Base record] contains the symbol tables that store information on the various client, container and security contexts associated with the Base Log File, as well as accounting information on these,” according to Alex Ionescu, chief architect at Crowdstrike.
As a result, a successful exploitation of CVE-2022-37969 via a specially crafted base log file could lead to memory corruption, and by extension, induce a system crash (aka blue screen of death or BSoD) in a reliable manner.
That said, a system crash is just one of the outcomes that arises out of leveraging the vulnerability, for it could also be weaponized to achieve privilege escalation.
Zscaler has further made available proof-of-concept (PoC) instructions to trigger the security hole, making it essential that users of Windows upgrade to the latest version to mitigate potential threats.