Microsoft has issued a warning to all Windows users to immediately install a new security update that patches a zero-day vulnerability that is being actively exploited. This critical vulnerability could allow remote code execution on affected systems.
What is the vulnerability?
This is a remote code execution vulnerability that exists in the Windows Common Log File System (CLFS) driver (clfs.sys). The vulnerability, tracked as CVE-2023-21715, has a CVSS severity score of 8.8 out of 10, making it critical in severity.
The vulnerability allows an attacker to execute arbitrary code on a target system and take full control over it. Microsoft notes that this vulnerability is being actively exploited in limited targeted attacks.
How does the exploit work?
The vulnerability exists due to insufficient validation of input data in the clfs.sys driver. By sending specially crafted network packets to a vulnerable system, an attacker could trigger a write-what-where condition, leading to arbitrary code execution with kernel privileges on the target.
This allows the attacker to install programs, modify data, create new accounts with administrative privileges, and take full control of the affected system. The attacker could then use the compromised machine to pivot further into the network.
Which Windows versions are affected?
This is a wormable vulnerability, meaning it has the potential to spread via malware between vulnerable systems without user interaction.
The vulnerable component clfs.sys exists in all supported versions of Windows, including:
- Windows 11
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2008 R2
What should users do to protect themselves?
Microsoft has released an emergency out-of-band security update to fix this vulnerability. Users should immediately apply the latest patches to all affected systems.
The security updates are available through the standard patch management tools like Windows Update, Microsoft Update, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, etc.
For systems that cannot be immediately patched, Microsoft suggests applying workarounds like restricting SMB traffic between endpoints. Disabling the CLFS driver is another option but may impact certain applications.
Enabling threat and anomaly detection capabilities can also help spot exploit attempts.
When was this vulnerability disclosed?
Microsoft released an advisory for this vulnerability on February 23, 2023. This indicates it is a zero-day vulnerability that was identified and patched by Microsoft before it was publicly disclosed or exploited at a large scale.
However, Microsoft notes that limited targeted attacks exploiting this vulnerability were observed before the patch was released. This highlights the importance of applying security updates as soon as they are available.
Conclusion
This zero-day vulnerability in a core Windows component could allow remote code execution and full system compromise. Users should install the security updates from Microsoft immediately before threat actors can weaponize this exploit for widespread attacks. Enabling detection capabilities, restricting unnecessary access, and hardening configurations are also important to reduce exposure.
The speed at which Microsoft identified and patched this zero-day underlines their improved security capabilities. However, it also highlights the increasing sophistication of cyber attacks and the need for continued vigilance and timely patching.
