CVE-2022-24521
Common Log File System -- rgClients PreviousMode decrement via crafted BLF metadata
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Logical Error / Out-of-Bounds Write |
| Exploited ITW | Yes |
| CVSS | 7.8 |
Root Cause
The vulnerability sits in how CLFS handles the rgClients array inside base log file (BLF) metadata. When a user opens a crafted .blf file via CreateLogFile, the driver parses on-disk client context records without properly validating their offsets or values. A specially constructed BLF can set rgClients[0] to a value that, when processed, decrements the calling thread's PreviousMode from UserMode (1) to KernelMode (0).
Once PreviousMode is zeroed, the thread's subsequent calls to NtReadVirtualMemory and NtWriteVirtualMemory bypass user/kernel address checks entirely, because the kernel treats the caller as originating from kernel mode.
Reported jointly by NSA and CrowdStrike. Multiple ransomware operators exploited this as a zero-day starting around June 2022.
Exploitation
The PreviousMode flip gives an immediate arbitrary read/write primitive over the entire kernel address space. The attacker reads the current process's EPROCESS token pointer, then overwrites it with a copy of the SYSTEM token. No pool spray or heap shaping needed -- the decrement itself is the primitive.
The full chain: drop a crafted .blf file, call CreateLogFile to trigger the rgClients parsing, PreviousMode drops to zero, then NtWriteVirtualMemory performs the token swap. Straightforward and reliable, which explains the wide adoption among ransomware groups.
Patch Analysis
The fix adds validation of rgClients array entries during BLF metadata parsing, rejecting client context records whose offsets would produce writes outside the metadata buffer. The patch also adds explicit bounds checking on the fields used to compute the decrement target.