Denial of Service in CLFS.sys

August 2024 by Fortra

FR-2024-001 - Denial of Service in CLFS.sys

Severity

Medium

Published Date

12-Aug-2024

Updated Date

12-Aug-2024

Vulnerabilities

CVE-2024-6768

Notes

Description

A Denial of Service in CLFS.sys in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated low-privilege user to cause a Blue Screen of Death via a forced call to the KeBugCheckEx function.

Vulnerabilities

Denial of Service in CLFS.sys

Severity

Medium

CVE

CVE-2024-6768

CWE

CWE-1284:Improper Validation of Specified Quantity in Input

Discovery Date

19-Dec-2023

CSSv3.1

5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products

Vulnerability Notes

Details

Timeline

December 20, 2023 – Reported to Microsoft with a Proof-of-Concept exploit.

January 8, 2024 – Microsoft responded that their engineers could not reproduce the vulnerability.

January 12, 2024 – Fortra provided a screenshot showing a version of Windows running the January Patch Tuesday updates and a memory dump of the crash.

February 21, 2024 – Microsoft replied that they still could not reproduce the issue and they were closing the case.

February 28, 2024 – Fortra reproduced the issue again with the February Patch Tuesday updates installed and provided additional evidence, including a video of the crash condition.

June 19, 2024 – Fortra followed up to say that we intended to pursue a CVE and publish our research.

July 16, 2024 – Fortra shared that it had reserved CVE-2024-6768 and would be publishing soon.

August 8, 2024 – Reproduced on latest updates (July 2024 Patch Tuesday) of Windows 11 and Server 2022 to produce screenshots to share with media.

August 12, 2024 – CVE publication date.