Microsoft is set to introduce a new security enhancement for the Common Log File System (CLFS) to the Windows Insiders Canary channel. Over the past five years, 24 Common Vulnerabilities and Exposures (CVEs) affecting CLFS have been identified and addressed, making it a significant focus for vulnerability research within Windows. Instead of addressing individual issues as they arise, the Microsoft Offensive Research & Security Engineering (MORSE) team has implemented a new verification step for parsing CLFS logfiles. This step aims to tackle a range of vulnerabilities simultaneously, enhancing protection for Windows users across the ecosystem.
CLFS serves as a logging service for software clients in user-mode or kernel-mode, providing transaction functionality for the Kernel Transaction Manager. It stores log information in files known as “logfiles” at a user-defined location on the file system. The logfile consists of a “Base Log File” (BLF) containing metadata and multiple “container files” for user log records.
The complexity of CLFS data structures has made it challenging to validate all data read from logfiles, leading to vulnerabilities. To address this, a security mitigation has been introduced, incorporating Hash-based Message Authentication Codes (HMAC) at the end of logfiles. HMACs are calculated using a cryptographic key, ensuring data integrity and preventing unauthorized modifications. Only CLFS (SYSTEM) and Administrators have access to the cryptographic key.
During the adoption period, existing logfiles without authentication codes will be transitioned to the new format. CLFS will operate in “learning mode” for 90 days, automatically adding HMACs to logfiles without them. After this period, CLFS will move to enforcement mode, expecting all logfiles to contain valid HMACs.
Administrators can use the fsutil clfs authenticate command to manage authentication codes for logfiles. Mitigation settings can be configured via registry settings or Group Policy, allowing administrators to control the mitigation’s operation mode and transition period.
The mitigation may impact CLFS API consumers by making logfiles non-portable between systems, introducing a new “.cnpf” patch file, requiring additional space for authentication codes, and increasing the time for I/O operations. Existing error codes are utilized to report integrity check failures to the caller, ensuring compatibility with the CLFS API.
These enhancements aim to bolster the security of CLFS logfiles, safeguarding Windows users from potential security threats and vulnerabilities.
