CVE-2023-36424: Windows Common Log File System (CLFS) Driver Elevation of Privilege
Vulnerability ID: CVE-2023-36424
CVSS Score: 7.8
Published: 2023-11-14
CVE-2023-36424 is an actively exploited Elevation of Privilege vulnerability in the Windows Common Log File System (CLFS) driver (clfs.sys). By exploiting an Out-of-Bounds Read flaw during the parsing of malformed Base Log Files (.blf), a low-privileged local attacker can leak sensitive kernel pointers, bypass KASLR, and ultimately elevate privileges to SYSTEM. The flaw affects nearly all supported versions of Windows and Windows Server.
TL;DR
Local attacker exploits an out-of-bounds read in the Windows CLFS driver via crafted .blf files to bypass KASLR and gain SYSTEM privileges.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-125
- Attack Vector: Local
- CVSS Base: 7.8
- EPSS Score: 0.10
- Impact: SYSTEM Elevation of Privilege
- Exploit Status: Active Exploitation
- CISA KEV: Listed
Affected Systems
- Windows 10
- Windows 11
- Windows Server 2008
- Windows Server 2012
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows 10: 1507, 1607, 1809, 21H2, 22H2
- Windows 11: 21H2, 22H2, 22H3, 23H2
- Windows Server: 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022, 23H2
Exploit Details
- GitHub (Nassim Asrir / @p1k4l4): Proof of concept code demonstrating the OOB read and ALPC heap grooming techniques.
Mitigation Strategies
- Deploy Microsoft Security Updates released in November 2023
- Monitor for creation of anomalous .blf files in user directories
- Implement EDR rules for high-frequency ALPC port creation
- Monitor kernel-mode activity originating from low-integrity processes
Remediation Steps:
- Identify vulnerable Windows endpoint and server installations
- Approve and stage the November 2023 cumulative security updates
- Deploy the updates via WSUS, SCCM, or automated patch management systems
- Reboot target systems to finalize kernel patch application
References
- Microsoft MSRC Advisory - CVE-2023-36424
- NVD - CVE-2023-36424 Details
- CISA Known Exploited Vulnerabilities Catalog
- Researcher Nassim Asrir's GitHub (PoC)
- Qualys Patch Tuesday Review - Nov 2023
Read the full report for CVE-2023-36424 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)