CVE-2024-49114
cldflt.sys — Windows Cloud Files Mini-Filter Driver elevation of privilege
Summary
| Field | Value |
|---|---|
| Driver | cldflt.sys (Cloud Files Mini-Filter) |
| Vulnerability Class | Buffer Overflow |
| Vulnerable Build | 10.0.22621.4460 and earlier |
| Fixed Build | 10.0.22621.4602 (KB5048685, December 2024) |
| Exploited ITW | No |
Affected Functions
- HsmpRpReadBuffer
- HsmpOpCacheReadDehydratedData
- HsmpSetupCacheIoContext
Root Cause
The Windows Cloud Files Mini-Filter Driver (cldflt.sys) implements the cloud file sync placeholder mechanism, enabling on-demand file hydration for OneDrive and other cloud storage providers. This is the same driver affected by CVE-2024-30085, which was a heap-based buffer overflow in the reparse point processing path.
CVE-2024-49114 is a related but distinct vulnerability in the cache read path. When HsmpRpReadBuffer processes a read request for a dehydrated (cloud-only) file, it allocates a buffer based on the cached data length stored in the file's reparse point. The function does not adequately validate that the declared data length in the reparse point matches the actual available data. An attacker can craft a file with a manipulated reparse point where the declared length exceeds the actual data, causing a subsequent read to overflow the allocated buffer.
This is the second significant vulnerability in cldflt.sys discovered within the same year, highlighting the complexity and risk of the cloud files placeholder subsystem.
AutoPiff categorizes this as heap buffer overflow via reparse point length mismatch with detection rules:
added_len_check_before_memcpy— identifies the new bounds check on the data length fieldadded_buffer_size_validation— detects the reparse point data length validationreparse_point_validation_added— flags new validation of reparse point structure fields
Exploitation
The attack requires local access. The attacker creates a file with a crafted cloud files reparse point containing an inflated data length field. When the system (or another user's process) reads the dehydrated file, the cloud files minifilter attempts to serve the cached data. The inflated length causes a heap buffer overflow in NonPagedPoolNx.
The exploitation chain follows a similar path to CVE-2024-30085: the attacker uses pool spray with pipe attributes to position controlled objects adjacent to the overflow buffer. The overflow corrupts a pipe attribute entry, providing an arbitrary read primitive. This is combined with the I/O Ring technique for arbitrary write, culminating in a token swap for SYSTEM privilege escalation.
The similarity in exploitation pattern to CVE-2024-30085 demonstrates that the same minifilter has multiple code paths vulnerable to similar buffer overflow classes — the reparse point handling code performs complex data transformations with multiple opportunities for length validation failures.
Patch Analysis
The December 2024 update adds validation in HsmpRpReadBuffer to verify that the declared data length in the reparse point does not exceed the actual available cached data size. The new code adds a comparison before the memcpy operation that copies cached data into the output buffer. Additionally, HsmpSetupCacheIoContext now validates the total I/O context size against the reparse point's declared extents.
AutoPiff detects this change via the added_len_check_before_memcpy rule, which identifies the new comparison instruction validating the source data length against the destination buffer capacity before the copy operation. This is the same detection pattern that flagged CVE-2024-30085.
Detection
YARA Rule
rule CVE_2024_49114_CloudFilter {
meta:
description = "Detects vulnerable version of cldflt.sys (pre-patch)"
cve = "CVE-2024-49114"
author = "KernelSight"
severity = "high"
strings:
$mz = { 4D 5A }
$driver_name = "cldflt.sys" wide ascii nocase
$internal_name = "InternalName" wide
$vuln_version = "10.0.22621.4460" wide ascii
$func_read = "HsmpRpReadBuffer" ascii
$func_cache = "HsmpOpCacheReadDehydratedData" ascii
condition:
$mz at 0 and $driver_name and $internal_name and $vuln_version
}
rule CVE_2024_49114_ReparsePoint_Artifact {
meta:
description = "Detects file with crafted cloud files reparse point with inflated length"
cve = "CVE-2024-49114"
author = "KernelSight"
severity = "medium"
strings:
$reparse_tag = { 17 00 00 90 }
$hsm_marker = "CldFlt" ascii wide
condition:
$reparse_tag and $hsm_marker
}
ETW Indicators
| Provider | Event / Signal | Relevance |
|---|---|---|
Microsoft-Windows-StorageSync |
Cloud file hydration events | Detects anomalous hydration requests triggered by reading dehydrated files with crafted reparse points |
Microsoft-Windows-Kernel-File |
Reparse point set/get operations | Captures the creation of files with manipulated cloud files reparse points |
Microsoft-Windows-Kernel-Audit |
Privilege escalation events | Identifies token manipulation following successful heap overflow exploitation |
Microsoft-Windows-Security-Auditing |
Event 4688 — Process creation | Detects unexpected SYSTEM-level process creation after cldflt.sys exploitation |
Microsoft-Windows-Kernel-Process |
Process token changes | Captures the token swap from standard user to SYSTEM |
Behavioral Indicators
- A user-mode process creating files with cloud files reparse points (tag
0x90000017) containing a declared data length significantly larger than the actual cached data, setting up the overflow condition inHsmpRpReadBuffer - Heap buffer overflow in NonPagedPoolNx when the cloud files minifilter processes a read request against a dehydrated file with a crafted reparse point, observable as pool corruption originating from
cldflt.sys - Pool spray using pipe attribute objects immediately before triggering a read on the crafted dehydrated file, grooming adjacent allocations for controlled corruption
NtFsControlFilecalls withFSCTL_PIPE_GET_ATTRIBUTEfollowing the overflow, indicating the attacker is using the corrupted pipe attribute to build an arbitrary read primitive- Privilege escalation of a low-privilege process to SYSTEM via I/O Ring arbitrary write and token swap, following a sequence of cloud file reparse point manipulation and minifilter read operations