A simple bug in the Common Log File System (CLFS) driver can instantly cause the infamous blue screen of death in all recent versions of Windows.

CLFS is a user and kernel mode logging service that helps applications record and manage logs. It is also a popular target for hacking.

While experimenting with his driver last year, a Fortra researcher discovered improper validation of specified quantities in input data, allowing him to cause system crashes at will. His proof of concept (PoC) exploit worked on all tested versions of Windows, including 10, 11, and Windows Server 2022, even on the most up-to-date systems.

“It’s very simple to execute: execute a binary, call a function, and that function crashes the system,” explains Tyler Reguly, associate director of security R&D at Fortra. To illustrate how simple it is, he adds, “I probably shouldn’t admit this, but today when I was dragging it from system to system, I accidentally double-clicked on it and crashed my server.”

BSoD from CLFS

The underlying issue, labeled CVE-2024-6768, affects basic log files (BLFs), a type of CLFS file that contains metadata used to manage logs.

The CLFS.sys driver apparently does not adequately validate the size of data within a certain field — “IsnOwnerPage” — in the BLF. Any attacker with access to a Windows system could create a file with incorrect size information to essentially confuse the driver. It could then, unable to resolve the inconsistency, invoke KeBugCheckEx, the function that blue screen crash.

CVE-2024-6768 has a “medium” score of 6.8 out of 10 on the CVSS scale. It does not impact data integrity or confidentiality, and does not cause any form of unauthorized system control. However, it does allow arbitrary crashes that could disrupt business operations or potentially cause data loss.

Or, as Reguly explains, it could be combined with other exploits to achieve greater impact. “It’s a good way for an attacker to maybe cover their tracks, or take down a service where they otherwise wouldn’t be able to, and I think that’s where the real risk is,” he says. “These systems are rebooting unexpectedly, (you) ignore the crash because it’s rebooted and it’s fine now, but that could be because someone has hidden their activity — hidden the fact that they wanted it to reboot so that a new setting would take effect.”

No solution in sight

Fortra first reported its findings on December 20 of last year. After months of back and forth, Reguly says, Microsoft closed their investigation without acknowledging it as a vulnerability or implementing a fix. So at the time of writing, it persists on Windows systems, no matter how updated they are.

In recent weeks, Windows Defender has identified Fortra’s PoC as malware. But other than running Windows Defender and trying to prevent binaries that exploit it from running, there’s nothing organizations can do to address CVE-2024-6768 until Microsoft releases a patch.

Dark Reading has asked Microsoft for feedback on CVE-2024-6768.