New Windows Event Log zero-day flaw gets unofficial patches

Trending 2 weeks ago


Free unofficial patches are disposable for a caller Windows zero-day flaw dubbed EventLogCrasher that lets attackers remotely clang nan Event Log work connected devices wrong nan aforesaid Windows domain.

This zero-day vulnerability affects each versions of Windows, from Windows 7 up to nan latest Windows 11 and from Server 2008 R2 to Server 2022.

EventLogCrasher was discovered and reported to nan Microsoft Security Response Center squad by a information interrogator known conscionable arsenic Florian, pinch Redmond tagging it arsenic not gathering servicing requirements and saying it's a copy of nan 2022 bug (Florian besides published a proof-of-concept exploit past week).

While Microsoft didn't supply much specifications regarding nan 2022 vulnerability, package institution Varonis disclosed a akin flaw dubbed LogCrusher (also still waiting for a patch) that tin beryllium exploited by immoderate domain personification to remotely clang nan Event Log work connected Windows machines crossed nan domain.

To utilization nan zero-day successful default Windows Firewall configurations, attackers request web connectivity to nan target instrumentality and immoderate valid credentials (even pinch debased privileges).

Therefore, they tin ever clang nan Event Log work locally and connected each Windows computers successful nan aforesaid Windows domain, including domain controllers, which will fto them guarantee that their malicious activity will nary longer beryllium recorded successful nan Windows Event Log.

As Florian explains, "The clang occurs successful wevtsvc!VerifyUnicodeString erstwhile an attacker sends a malformed UNICODE_STRING entity to nan ElfrRegisterEventSourceW method exposed by nan RPC-based EventLog Remoting Protocol."

Once nan Event Log work crashes, Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) will beryllium straight impacted arsenic they tin nary longer ingest caller events to trigger information alerts.

Luckily, information and strategy events are queued successful representation and will beryllium added to nan arena logs aft nan Event Log work becomes disposable again. However, specified queued events whitethorn beryllium irrecoverable if nan queue gets filled aliases nan attacked strategy shuts down via power-off aliases owed to a bluish surface error.

"So acold we've discovered that a low-privileged attacker tin clang nan Event Log work some connected nan section instrumentality and connected immoderate different Windows machine successful nan web they tin authenticate to. In a Windows domain, this intends each domain computers including domain controllers," said 0patch co-founder Mitja Kolsek.

"During nan work downtime, immoderate discovery mechanisms ingesting Windows logs will beryllium blind, allowing nan attacker to return clip for further attacks - password brute-forcing, exploiting distant services pinch unreliable exploits that often clang them, aliases moving each attacker's favourite whoami - without being noticed."

Unnoficial information patches for affected Windows systems

The 0patch micropatching service released unofficial patches for astir affected Windows versions connected Wednesday, disposable for free until Microsoft releases charismatic information updates to reside nan zero-day bug:

  1. Windows 11 v22H2, v23H2 - afloat updated
  2. Windows 11 v21H2 - afloat updated
  3. Windows 10 v22H2 - afloat updated
  4. Windows 10 v21H2 - afloat updated
  5. Windows 10 v21H1 - afloat updated
  6. Windows 10 v20H2 - afloat updated
  7. Windows 10 v2004 - afloat updated
  8. Windows 10 v1909 - afloat updated
  9. Windows 10 v1809 - afloat updated
  10. Windows 10 v1803 - afloat updated
  11. Windows 7 - nary ESU, ESU1, ESU2, ESU3
  12. Windows Server 2022 - afloat updated
  13. Windows Server 2019 - afloat updated
  14. Windows Server 2016 - afloat updated
  15. Windows Server 2012 - nary ESU, ESU1
  16. Windows Server 2012 R2 - nary ESU, ESU1
  17. Windows Server 2008 R2 - nary ESU, ESU1, ESU2, ESU3, ESU4

"Since this is simply a '0day' vulnerability pinch nary charismatic vendor hole available, we are providing our micropatches for free until specified hole becomes available," Kolsek said.

To instal nan basal patches connected your Windows system, create a 0patch account and instal nan 0patch agent connected nan device.

Once you've launched nan agent, nan micropatch will beryllium applied automatically without requiring a strategy restart, provided location is nary civilization patching argumentation successful spot to artifact it.