It was revealed recently by security researchers at Varonis Threat Labs, that Microsoft Windows contains two vulnerabilities in Event logs, one of which can be exploited in order to cause a Denial of Service attack.
The pair of vulnerabilities named by the security analysts at Varonis are as follows:-
- LogCrusher
- OverLog (CVE-2022-37981)
Moreover, it appears that these two vulnerabilities were mainly targeted at the MS-EVEN (EventLog Remoting Protocol). By doing this, threat actors will be able to access the event logs from a remote location.
This year on June 15, Microsoft officially announced that they had completely ended the support for IE (Internet Explorer). But, still, there are some security and stability issues associated with IE because it has a deep integration with the Windows ecosystem.
It is suspected that OverLog may cause a DoS attack on the Windows computer by filling all of the available space on its hard drive.
CVE-2022-37981 has been assigned to OverLog, and its CVSS score is 4.3. Microsoft made a resolution to this vulnerability during its October Patch Tuesday update to fix this vulnerability. However, the LogCrusher issue was not yet fixed, so, it remains unpatched.
Critique
A Windows API function called OpenEventLogW enables the users to open the handle of an event log on a remote or local machine based on the information provided in the handle.
There are two parameters that are required by the function:-
- lpUNCServerName
- lpSourceName
Non-administrative low-privilege users, by default, do not have access to the event logs of other machines since they do not have the necessary privileges. There is one exception to this rule, and that is when it comes to the old “Internet Explorer” log files
IE’s security descriptor overrides the permissions set by default in the browser and maintains its own security profile.
An event log can be remotely cleared and backed up with the help of ElfClearELFW, which is an MS-EVEN function. And this function also involves two parameters and here below we have mentioned them:-
- LogHandle
- BackupFileName
However, there is a bug in the ElfClearELFW function that causes it to fail to validate input properly. In order to understand the LogCrusher attack flow, it is necessary to take into account these two functions.
Full article here: https://cybersecuritynews.com/event-log-bugs/