Details about a currently patched security flaw in the Windows Common Log File System (CLFS) have emerged. This could be exploited by an attacker to gain elevated permissions on a compromised machine.

This issue, tracked as CVE-2022-37969 (CVSS score: 7.8), was addressed by Microsoft as part of the September 2022 Patch Monthly Update, but is being actively exploited in the wild. has also been pointed out.

“The attacker must already have access to the target system and the ability to execute code.” I got it on that recommendation. “This technique does not allow remote code execution if an attacker does not already have that capability on the targeted system.”

We also acknowledge that CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler researchers reported the vulnerability without delving into additional details about the nature of the attack.

cyber security

Currently, the Zscaler ThreatLabz research team: disclosed On September 2nd, 2022, we confirmed that we had captured the zero-day publicly available exploit at the time.

“The vulnerability is due to a lack of strict bounds checking on the field cbSymbolZone in the base record header of the base log file (BLF) of CLFS.sys,” the cybersecurity firm told HackerNews.

“If field cbSymbolZone is set to an invalid offset, out-of-bounds write Occurs at invalid offsets. ”

Windows zero-day vulnerabilities

CLFS is Generic logging service It can be used by software applications running in both user mode or kernel mode to record data and events and optimize log access.

Use cases related to CLFS include online transaction processing (OLTP), network event logs, compliance audits, and threat analysis.

According to Zscaler, the vulnerability is rooted in a metadata block called the base record. base log fileIt is generated when a log file is created using the CreateLogFile() function.

cyber security

“[Base record] including Symbol table Stores information about various clients, containers, and security contexts associated with the base log file, as well as accounting information about these.” Alex IonescuChief Architect of Crowdstrike.

As a result, successful exploitation of CVE-2022-37969 via a specially crafted base log file can lead to memory corruption and even system crashes (Blue Screen of Death or Blue Screen of Death). BSoD) in a reliable manner.

However, system crashes are just one of the consequences of exploiting vulnerabilities. It can also be weaponized to achieve privilege escalation.

Zscaler has also made available a proof-of-concept (PoC) procedure that triggers the security hole. This makes it imperative for Windows users to upgrade to the latest version to mitigate potential threats.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog