CVE-2023-23376
Common Log File System -- out-of-bounds write via CLFS_CONTROL_RECORD manipulation
Exploited in the Wild
This vulnerability was exploited in the wild before or shortly after patching.
Summary
| Field | Value |
|---|---|
| Driver | clfs.sys |
| Vulnerability Class | Out-of-Bounds Write |
| Exploited ITW | Yes |
| CVSS | 7.8 |
Root Cause
Another entry in the long series of CLFS BLF parsing bugs. This one targets the CLFS_CONTROL_RECORD rather than the CLFS_BASE_RECORD_HEADER used in CVE-2022-37969 and CVE-2022-35803. The root cause is nearly identical: the driver trusts offset fields in on-disk BLF metadata without bounds checking, producing an out-of-bounds write when a crafted .blf file is opened.
Discovered by MSTIC and MSRC as a zero-day. Likely chained with an RCE for ransomware delivery in the campaigns where it was observed.
Exploitation
The OOB write provides a relative write primitive in the kernel paged pool. Exploitation follows the standard CLFS pattern: pool spray to position controlled objects adjacent to the CLFS metadata allocation, trigger the OOB write via crafted BLF, corrupt an adjacent object, and escalate to a token swap for SYSTEM.
Patch Analysis
The fix adds bounds validation on offset fields within CLFS_CONTROL_RECORD processing, checking that derived write targets fall within the allocated metadata buffer.