Microsoft has taken quick action to address a critical security vulnerability that has been discovered in Windows 11 (version 23H2), posing a risk of privilege escalation for local attackers. The flaw was exposed by security researcher Alex Birnberg at the prestigious cybersecurity competition, TyphoonPWN 2024, where he secured the third position for his demonstration of the exploit.
TyphoonPWN, known as one of the leading cybersecurity competitions, serves as a platform for security researchers worldwide to uncover vulnerabilities in commonly used software. Birnberg’s successful demonstration of the exploit, which was officially tracked as CVE-2024-30085, underscores the significance of such events in identifying and addressing serious security issues.
The vulnerability, residing in the Cloud Files Mini Filter Driver (cldflt.sys), arises from the inadequate validation of user-supplied data when parsing reparse points. The driver fails to validate the data size before copying it to a fixed-length heap-based buffer, opening the door for potential exploitation by attackers to overwrite memory and execute code in the System context, thereby granting them elevated privileges.
In the context of Windows 11, version 23H2, attackers must first acquire the ability to execute low-privileged code on the targeted system to exploit this flaw. This requirement significantly heightens the risk in situations where users have restricted system access. Independent security researchers dove into the vulnerability, pinpointing its root cause in the function HsmIBitmapNORMALOpen in the Windows Cloud Files Mini Filter Driver.
The mishandling of reparse point bitmaps allows attackers to circumvent essential checks and introduce malicious data into the system’s memory. Under specific conditions during file operations, length verification of reparse data is skipped, creating the opportunity for attackers to overwrite memory and achieve privilege escalation.
The exploit showcased at TyphoonPWN 2024 involved crafting a carefully structured reparse point to exploit the vulnerable function and attain SYSTEM-level privileges. Birnberg’s demonstration at the competition not only earned him accolades but also highlighted the depth of his technical analysis and creativity in uncovering vulnerabilities.
To mitigate the risk posed by such vulnerabilities, it is essential for organizations to adhere to best practices such as restricting administrative access to trusted users, regularly updating all Windows systems with the latest patches, monitoring system activity for unusual behavior, especially around file operations and reparse points, and employing intrusion detection systems (IDS) to detect signs of exploits.
Organizations should conduct audits on the use of the Cloud Files Mini Filter Driver and minimize external access to systems requiring elevated privileges. The recent discovery exemplifies the critical need for proactive cybersecurity measures. Microsoft’s prompt response in releasing a patch to address the vulnerability reflects the industry’s dedication to protecting users.
All users impacted by this vulnerability are strongly encouraged to prioritize system updates by applying the latest security patch provided by Microsoft. It is imperative for users to install the recent Windows update containing the patch for CVE-2024-30085 to ensure the security of their devices against this and other potential vulnerabilities.