What is the Common Log File System (CLFS) used in recent ransomware attacks?
Have you wondered about the CLFS file system we have heard about a lot recently with ransomware attacks?
The Common Log File System (CLFS) in Windows is designed as a general-purpose logging service used by software running in both user and kernel modes. It records and manages logs to understanding software activities and debugging issues. CLFS can handle different types of logs, ensuring organized and reliable storage and retrieval of log records.
Recent vulnerabilities in CLFS, such as CVE-2023-28252, have been exploited in ransomware attacks. These vulnerabilities involve manipulating the internal structures of CLFS, like the CLFS_CONTROL_RECORD, to bypass security checks or corrupt data. Attackers have exploited these weaknesses to execute malicious functions and compromise system integrity.
As of April 2023, patches have been released for several of these vulnerabilities. However, it seems like there continue to be new discoveries of vulnerabilities which raises questions about the security of CLFS.
Read Microsoft's description of CLFS here: https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/introduction-to-the-common-log-file-system