Marcin “Icewall” Noga of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos recently discovered a privilege escalation vulnerability in the Windows 10 Common Log File System. CLFS is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. A malformed CLFS log file could cause a pool overflow, and an adversary could gain the ability to execute code on the victim machine. A regular user needs to open the log file to trigger this vulnerability, but since the bug is triggered at the kernel level, it would give the adversary elevated privileges. Microsoft disclosed and patched this bug as part of their monthly security update Tuesday. For more on their updates, read the full blog here.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Microsoft to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Microsoft Windows 10 CLFS.sys ValidateRegionBlocks privilege escalation vulnerability (TALOS-2020-1098/CVE-2020-1115)

A privilege escalation vulnerability exists in the CLFS.sys ValidateRegionBlocks functionality of Microsoft Windows 10 CLFS.SYS 10.0.19041.264 (WinBuild.160101.0800) and Insider Preview CLFS.SYS 10.0.20150.1000 (WinBuild.160101.0800). A specially crafted malformed log file can cause a heap buffer overflow, resulting in privilege escalation. An attacker can trigger this bug from userland using a malformed log file.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that Microsoft Windows 10 CLFS.SYS, version 10.0.19041.264 (WinBuild.160101.0800) and Microsoft Windows 10 Insider Preview CLFS.SYS, version 10.0.20150.1000 (WinBuild.160101.0800) are affected by this vulnerability.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54392