CVE-2023-28252 zero-day vulnerability in CLFS

Kaspersky experts discover a CLFS vulnerability being exploited by cybercriminals.

Zero-day vulnerability in CLFS

Thanks to their Behavioral Detection Engine and Exploit Prevention components, our solutions have detected attempts to exploit a previously unknown vulnerability in the Common Log File System (CLFS) — the logging subsystem of Windows operating systems. After thoroughly investigating the exploit, our Global Research & Analysis Team (GReAT) contacted Microsoft and provided all their findings. The developers designated the vulnerability as CVE-2023-28252, and closed it on April 4, 2023 with the April Patch Tuesday update. We advise installing the fresh patches as soon as possible, because the vulnerability isn’t just being exploited by attackers — it’s being used in ransomware attacks.

What is the CVE-2023-28252 vulnerability?

CVE-2023-28252 belongs to the class of privilege-elevation vulnerabilities. To exploit it, attackers must manipulate a BLF file to elevate their privileges in the system and be able to continue their attack (so they need initial access with user privileges).

As usual, our Securelist website has the technical info, plus indicators of compromise, but the details aren’t being disclosed just now since they could be used by other cybercriminals to carry out new attacks. However, our experts intend to share them on April 20 (or thereabouts), by which date most users will have installed the patches.

What is the CVE-2023-28252 vulnerability used for?

Unlike most zero-day vulnerabilities, CVE-2023-28252 isn’t being used in APT attacks. In this case, the final payload delivered to victims’ computers was a new variant of the Nokoyawa ransomware. But after examining the exploit, our experts concluded that the attackers behind it were also responsible for creating a number of earlier, similar exploits for vulnerabilities in that same CLFS. In attacks deploying those we’ve seen other tools too, including Cobalt Strike Beacon and the modular backdoor Pipemagic.

How to stay safe

First of all, we recommend installing the April updates for Windows. In general, to secure your infrastructure against attacks using vulnerabilities (both known and zero-day), you need to protect all work computers and servers with reliable security solutions featuring protection against vulnerability exploitation. Our products automatically detect attempts to attack through CVE-2023-28252 as well as all malware used by the cybercriminals who created the exploit.