A Denial of Service (DoS) vulnerability exists in CLFS.sys, exploitable by authenticated low-privilege users. Successful exploitation triggers a Blue Screen of Death (BSOD) via a forced call to the KeBugCheckEx function, rendering the affected system inoperable until rebooted.
For systems running Windows 10, 11, and Server 2016-2022, this vulnerability, which has been assigned the tracking number CVE-2024-6768, represents a risk of medium severity.
A vulnerability in the CLFS.sys driver on Windows 10, 11, and specific server versions allows an authenticated low-privilege attacker to induce a system crash (the Blue Screen of Death) by maliciously triggering the KeBugCheckEx function.
This denial-of-service condition exploits a flaw in the driver’s handling of input data, allowing an attacker to circumvent system safeguards and destabilize the operating system.
The specific mechanism involves the attacker crafting malicious input that causes the driver to incorrectly process data, leading to an unexpected error condition that triggers the system crash.
A vulnerability in the CLFS.sys driver, identified as CVE-2024-6768, allows a low-privilege attacker to exploit improper input validation by crafting malicious data within a.BLF file.
The flaw, categorized as CWE-1284, enables an attacker to trigger a denial-of-service condition by causing a system crash discovered on December 19, 2023, affects all versions of Windows 10 and 11.
With a CVSS score of 5.5, this medium-severity issue can be exploited by an attacker with low privileges to manipulate the system into executing the KeBugCheckEx function, resulting in a Blue Screen of Death (BSOD).
On December 20, 2023, a Proof-of-Concept exploit was reported to Microsoft, detailing a potential vulnerability where Microsoft engineers were unable to replicate the issue when investigating on January 8, 2024.
However, Fortra subsequently provided concrete evidence on January 12, 2024, including a screenshot of a Windows system running the latest January Patch Tuesday updates and a corresponding memory dump capturing the crash, challenging Microsoft’s initial assessment.
They reported an issue to Microsoft on February 21, 2024, which Microsoft was unable to reproduce, and subsequently replicated the issue on February 28, 2024, providing additional evidence, including video proof, that the February Patch Tuesday updates caused the problem.
Due to Microsoft’s inability to address the issue, they announced plans to pursue a CVE and publicly disclose their findings on June 19, 2024, by reserving CVE-2024-6768 on July 16, 2024, announcing its intent to disclose the vulnerability.
Researchers successfully reproduced the issue on fully patched Windows 11 and Server 2022 systems in August, capturing evidence for public disclosure, while the CVE was officially published on August 12, 2024.