Windows CLFS Driver zero-days leveraged in ransomware attacks

Attacks leveraging five vulnerabilities impacting the Windows Common Log File System were noted by Kaspersky to have been occurring over the past 1.5 years, indicating significant issues in CLFS, reports Dark Reading. Windows CLFS's prioritization of performance has prevented secure parsing of CLFS files and resulted in the emergence of various security flaws, which include CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252, said Kaspersky Global Research and Analysis Team Principal Security Researcher Boris Larin. "All this parsing is done using relative offsets, which can point to any location within a block. If one of these offsets becomes corrupted in memory during execution, the consequences can be catastrophic. But perhaps worst of all, offsets in the BLF file on disk can be manipulated in such a way that different structures overlap, leading to unforeseen consequences," said Larin, who recommended that organizations ensure up-to-date patches, limited server access, and appropriate employee security training to prevent cyber incidents that may stem from CLFS flaws.