A new vulnerability in a Windows driver that could trigger a Blue Screen of Death (BSOD) on fully updated systems running both Windows 10 and Windows 11 has been identified by cybersecurity firm Fortra.
The issue stems from the CLFS.SYS driver, responsible for managing the Common Log File System (CLFS), a logging subsystem that can be used by applications running in both kernel mode and user modes.
According to Fortra, the flaw is caused by improper validation of input data, leading to an irrecoverable inconsistency that activates the KeBugCheckEx function.
Consequently, successful exploitation of CVE-2024-6768 allows an attacker to cause a Blue Screen of Death (BSOD) condition on the targeted system.
This causes the affected system to stop responding to legitimate user input and reboot.
If the attacker manages to gain initial access to the system and persist the execution of a malicious .blf file, then this has the potential to prohibit access to a targeted system in the long term.
โThe potential problems include system instability and denial of service, as malicious users can exploit this vulnerability to repeatedly crash affected systems, disrupting operations and potentially causing data loss,โ wrote Ricardo Narvaja, cybersecurity specialist developer at Fortra.
Mayuresh Dani, manager, security research at Qualys Threat Research Unit, explained since the exploitation of the vulnerability calls the KeBugCheckEx function – which turns off the system in a controlled manner – this vulnerability most likely cannot be leveraged to cause code execution.
โAt most, this could lead to information disclosure, if timed correctly, when the system is processing sensitive data,โ he said. โWith all driver-based vulnerabilities, it is best to upgrade to the latest version as soon as possible.โ
He added IT security teams should baseline and monitor their systems for the creation and processing of any .blf files and monitor emails and network traffic for such files making an entry in their networks and on their endpoints.
โSince this is a logging file, the baseline should also include applications normally creating and executing .blf files,โ he said.
Dani advised businesses to start maintaining backups of system critical endpoints – if they are not already doing so – to recover from a crash.
โSecondly, they should start prioritizing and implementing any updates that deal with the system drivers,โ he said.
Thirdly, when dealing with other software, they should first update a selected set of systems, observe them for any inconsistencies, before rolling it out to a wider set of systems.
Lionel Litty, chief security architect at Menlo Security, said the risk here will depend on the specifics of the organization threat model.
โFor many organizations, a local denial of service on Windows instances is not a significant concern,โ he explained. An attacker would first need to get local privilege execution on a multi-user system and at this point this vulnerability allows them to crash the system.
Alternatively, a malicious insider can use this to create some damage–in both cases, it is likely that the attacker has better avenues to wreak havoc.
โOrganizations with a threat model that involves running multi-user Windows systems where some of the users who are untrusted users should be more concerned,โ Litty said. โThis should be a relatively rare model.โ
He added the CrowdStrike incident has understandably created heightened concerns around system crashes, but this CVE on its own is unlikely to lead to significant disruptions in practice.
โHowever, there is always a risk that this can be used as a step in a larger attack chain and the recommendation is as always to patch your systems in a timely manner once a fix is made available by Microsoft,โ Litty said.