ThreatLevelBeta
Planned Fix

CVE-2023-36424

Windows CLFS driver LPE
Loading...

Summary

A flaw in the Windows Common Log File System (CLFS) kernel driver can be triggered by a local low-privilege attacker using crafted CLFS or related metadata. The driver mishandles the attacker-controlled input, leading to kernel memory corruption that can be leveraged to elevate privileges. Successful exploitation can give the attacker SYSTEM-level control of the affected Windows host.

Why Planned Fix?

4/6
Authentication required
Internal deployment
No user interaction needed
Exploitable in default configuration
Public PoC available
High impact vulnerability

Exploitation Details

Type
LPE (Local Privilege Escalation)
Is exploitable with default configuration?
Yes
Is authentication needed?
Yes
PoC / Exploit
Yes
github.com
Impact

Escalate a local low-privilege user to SYSTEM on the affected host.

Privilege Escalation
Exploitation Requirements
  • Authentication required
Exploitation Process

A local attacker first obtains a low-privilege account on a vulnerable Windows system. They then supply specially crafted CLFS-related data or a malicious reparse-point/log structure to the kernel driver so that the vulnerable parsing path is reached. The driver performs unsafe handling of the attacker-controlled content, corrupting kernel pool memory. The attacker then uses that corruption to manipulate privileged kernel state and launch code with SYSTEM privileges.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft WindowsWindows 10 1507 through 22H2; Windows 11 21H2 through 23H2; Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022, and 2022 23H2
Description

Microsoft Windows is the desktop and server operating system used across enterprise endpoints and infrastructure. The vulnerable component is the Common Log File System (CLFS) kernel driver used for system logging and related file handling.

Deployment:Typically internal
|
Protocol:Local
|
Ports:
Affected ComponentCommon Log File System kernel driver (clfs.sys) code path that processes attacker-controlled log or reparse-point metadata.

Common Log File System kernel driver (clfs.sys) code path that processes attacker-controlled log or reparse-point metadata.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Install Microsoft’s November 14, 2023 security update or any later cumulative update for the affected Windows release. Fixed builds include Windows 10 1507/1607/1809/21H2/22H2, Windows 11 21H2/22H2/23H2, and Windows Server 2008 SP2 through Server 2022 23H2.

Install Microsoft’s November 14, 2023 security update or any later cumulative update for the affected Windows release. Fixed builds include Windows 10 1507/1607/1809/21H2/22H2, Windows 11 21H2/22H2/23H2, and Windows Server 2008 SP2 through Server 2022 23H2.

msrc.microsoft.com
Threat Intelligence
EPSS Score10.3%

Probability of exploitation in the next 30 days

EPSS Percentile93%

Worse than 93% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Windows Common Log File System Driver Elevation of Privilege Vulnerability

CVSS Base Score

7.8
High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-125 Out-of-bounds Read
|
NVD:CVE-2023-36424
|
Version From:
|
Version Upto:10.0.10240.20308, 10.0.10240.20308, 10.0.14393.6452, 10.0.14393.6452, 10.0.17763.5122, 10.0.17763.5122, 10.0.17763.5122, 10.0.19041.3693, 10.0.19045.3693, 10.0.22000.2600, 10.0.22621.2715, 10.0.22631.2715, 10.0.25398.531

Affected Software (CPE) (21)

  • cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:arm64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*

Sources

5
SourceArticle
nvd.nist.govCVE-2023-36424 Detail
msrc.microsoft.comSecurity Update Guide - CVE-2023-36424
github.comzerozenxlabs/CVE-2023-36424
habr.comТрендовые уязвимости марта: обновляйтесь и импортозамещайтесь
tenable.comCVE-2023-36424

Priority History

Planned FixLoading...

Initial analysis