Denial of Service in CLFS.sys
August 2024 by Fortra
FR-2024-001 - Denial of Service in CLFS.sys
Severity
Medium
Published Date
12-Aug-2024
Updated Date
12-Aug-2024
Vulnerabilities
CVE-2024-6768
Notes
Description
A Denial of Service in CLFS.sys in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated low-privilege user to cause a Blue Screen of Death via a forced call to the KeBugCheckEx function.
Vulnerabilities
Denial of Service in CLFS.sys
Severity
Medium
CVE
CVE-2024-6768
CWE
CWE-1284:Improper Validation of Specified Quantity in Input
Discovery Date
19-Dec-2023
CSSv3.1
5.5 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products
Vulnerability Notes
Details
Timeline
December 20, 2023 – Reported to Microsoft with a Proof-of-Concept exploit.
January 8, 2024 – Microsoft responded that their engineers could not reproduce the vulnerability.
January 12, 2024 – Fortra provided a screenshot showing a version of Windows running the January Patch Tuesday updates and a memory dump of the crash.
February 21, 2024 – Microsoft replied that they still could not reproduce the issue and they were closing the case.
February 28, 2024 – Fortra reproduced the issue again with the February Patch Tuesday updates installed and provided additional evidence, including a video of the crash condition.
June 19, 2024 – Fortra followed up to say that we intended to pursue a CVE and publish our research.
July 16, 2024 – Fortra shared that it had reserved CVE-2024-6768 and would be publishing soon.
August 8, 2024 – Reproduced on latest updates (July 2024 Patch Tuesday) of Windows 11 and Server 2022 to produce screenshots to share with media.
August 12, 2024 – CVE publication date.