In the last year and a half, attackers have exploited at least five vulnerabilities - including four zero-days - in a sensitive, kernel-level Windows driver.
A series of reports published by Kaspersky's Securelist this week lays out not just a handful of bugs, but a larger, more systemic issue in the current implementation of the Windows Common Log File System.
CLFS is a high-performance, general-purpose logging system available for user- or kernel-mode software clients.
Its kernel access makes it eminently useful for hackers seeking low-level system privileges, and its performance-oriented design has left a series of security holes in its wake in recent years, which ransomware actors in particular have pounced on.
Win32k-level zero-days aren't entirely uncommon, Larin conceded in his research.
Nothing in particular changed about the CLFS driver this year.
Rather, attackers seem to have just now identified what was wrong with it this whole time: It leans too far left in that inescapable, eternal balance between performance and security.
The sum of all of these design choices is effective data and event logging, but also plenty of easily exploitable bugs.
In 2023 alone there were CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 - all high-severity, 7.8-rated on the CVSS scale - used as zero-days, as well as a fifth vulnerability that was patched before any associated malicious activity was observed in the wild.
All of these were leveraged by attackers, Kaspersky found - including, for example, the Nokoyawa ransomware group's exploitation of CVE-2023-28252.
Without some sort of redesign, CLFS may well continue to offer escalation opportunities for hackers.
This Cyber News was published on www.darkreading.com. Publication date: Fri, 22 Dec 2023 20:10:23 +0000