cbeek-r7's assessment of CVE-2022-37969

Description

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Add Assessment

cbeek-r7 (181)

November 22, 2024 9:17am UTC (3 weeks ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Observed in ransomware attacks Observed in state-sponsored attacks

Technical Analysis

The vulnerability arises due to insufficient input validation in the CLFS driver. Specifically, CLFS mishandles certain crafted input, allowing an attacker to manipulate memory and execute code with elevated privileges.

Exploitation requires local access to the system. An attacker can:

Craft Malicious Input: Create a malformed CLFS log file or log-related operation that triggers the vulnerability in the driver.
Abuse Kernel Privileges: Exploit the vulnerability to execute arbitrary code in kernel mode.
Escalate Privileges: Gain SYSTEM privileges, enabling complete control over the affected system.

This vulnerability is particularly useful for attackers as a post-exploitation mechanism, allowing them to escalate privileges after gaining initial access to a target system.

Exploitation in the Wild
CVE-2022-37969 has been actively exploited in targeted attacks. Threat actors, including advanced persistent threat (APT) groups, have leveraged this vulnerability as part of multi-stage attack campaigns.

CISA released an updated advisory on the BianLian ransomware group including the vulnerabilities the group is using to gain initial access towards victims.

https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

None

Impact Score:

Unknown

Exploitability Score:

Unknown

Vector:

Unknown

Attack Vector (AV):

Unknown

Attack Complexity (AC):

Unknown

Privileges Required (PR):

Unknown

User Interaction (UI):

Unknown

Scope (S):

Unknown

Confidentiality (C):

Unknown

Integrity (I):

Unknown

Availability (A):

Unknown

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 10.0.17763.3406

Windows Server 2019 10.0.17763.3406

Windows Server 2019 (Server Core installation) 10.0.17763.3406

Windows 10 Version 21H1 10.0.19043.2006

Windows Server 2022 10.0.20348.1006

Windows 10 Version 20H2 10.0.19042.2006

Windows 11 version 21H2 10.0.22000.978

Windows 10 Version 21H2 10.0.19044.2006

Windows 10 Version 1507 10.0.10240.19444

Windows 10 Version 1607 10.0.14393.5356

Windows Server 2016 10.0.14393.5356

Windows Server 2016 (Server Core installation) 10.0.14393.5356

Windows 7 6.1.7601.26115

Windows 7 Service Pack 1 6.1.7601.26115

Windows 8.1 6.3.9600.20571

Windows Server 2008 Service Pack 2 6.0.6003.21666

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.21666

Windows Server 2008 Service Pack 2 6.0.6003.21666

Windows Server 2008 R2 Service Pack 1 6.1.7601.26115

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.26115

Windows Server 2012 6.2.9200.23865

Windows Server 2012 (Server Core installation) 6.2.9200.23865

Windows Server 2012 R2 6.3.9600.20571

Windows Server 2012 R2 (Server Core installation) 6.3.9600.20571

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 1507,
windows 10 1607,
windows 10 1809,
windows 10 20h2,
windows 10 21h1,
windows 10 21h2,
windows 11 21h2,
windows 7 -,
windows 8.1 -,
windows rt 8.1 -,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2012 r2,
windows server 2016,
windows server 2019,
windows server 2022

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: September 14, 2022 10:16pm UTC (2 years ago)

gwillcox-r7 indicated source as News Article or Blog (https://cn-sec.com/archives/1417413.html)

Reported: May 25, 2023 3:28pm UTC (1 year ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/09/14/cisa-adds-two-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:21am UTC (1 month ago)

cbeek-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/sites/default/files/2024-11/aa23-136a-joint-csa-stopransomware-bianlian-ransomware-group.pdf)

Reported: November 22, 2024 9:17am UTC (3 weeks ago) • Edited 3 weeks ago

References

Canonical

CVE-2022-37969 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2022-37969 (https://github.com/fortra/CVE-2022-37969) (Added by AKB Worker)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37969

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0039/MNDT-2022-0039.md

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37969

Rapid7

Very High

CVE-2022-37969

Very High

Very High

Unknown

Unknown

Unknown

CVE-2022-37969

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification