Free unofficial patches can be found for a brand new Home windows zero-day flaw dubbed EventLogCrasher that lets attackers remotely crash the Occasion Log service on units throughout the identical Home windows area.
This zero-day vulnerability impacts all variations of Home windows, from Home windows 7 as much as the most recent Home windows 11 and from Server 2008 R2 to Server 2022.
EventLogCrasher was found and reported to the Microsoft Safety Response Middle crew by a safety researcher identified simply as Florian, with Redmond tagging it as not assembly servicing necessities and saying it is a duplicate of the 2022 bug (Florian additionally revealed a proof-of-concept exploit final week).
Whereas Microsoft did not present extra particulars concerning the 2022 vulnerability, software program firm Varonis disclosed an identical flaw dubbed LogCrusher (additionally nonetheless ready for a patch) that may be exploited by any area person to remotely crash the Occasion Log service on Home windows machines throughout the area.
To take advantage of the zero-day in default Home windows Firewall configurations, attackers want community connectivity to the goal gadget and any legitimate credentials (even with low privileges).
Due to this fact, they will at all times crash the Occasion Log service regionally and on all Home windows computer systems in the identical Home windows area, together with area controllers, which is able to allow them to be sure that their malicious exercise will now not be recorded within the Home windows Occasion Log.
As Florian explains, “The crash happens in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW technique uncovered by the RPC-based EventLog Remoting Protocol.”
As soon as the Occasion Log service crashes, Safety Info and Occasion Administration (SIEM) and Intrusion Detection Methods (IDS) shall be instantly impacted as they will now not ingest new occasions to set off safety alerts.
Fortunately, safety and system occasions are queued in reminiscence and shall be added to the occasion logs after the Occasion Log service turns into accessible once more. Nevertheless, such queued occasions could also be irrecoverable if the queue will get stuffed or the attacked system shuts down through power-off or attributable to a blue display screen error.
“Up to now we have found {that a} low-privileged attacker can crash the Occasion Log service each on the native machine and on another Home windows laptop within the community they will authenticate to. In a Home windows area, this implies all area computer systems together with area controllers,” stated 0patch co-founder Mitja Kolsek.
“Through the service downtime, any detection mechanisms ingesting Home windows logs shall be blind, permitting the attacker to take time for additional assaults – password brute-forcing, exploiting distant providers with unreliable exploits that always crash them, or working each attacker’s favourite whoami – with out being seen.”
Unnoficial safety patches for affected Home windows programs
The 0patch micropatching service launched unofficial patches for many affected Home windows variations on Wednesday, accessible free of charge till Microsoft releases official safety updates to deal with the zero-day bug:
- Home windows 11 v22H2, v23H2 – totally up to date
- Home windows 11 v21H2 – totally up to date
- Home windows 10 v22H2 – totally up to date
- Home windows 10 v21H2 – totally up to date
- Home windows 10 v21H1 – totally up to date
- Home windows 10 v20H2 – totally up to date
- Home windows 10 v2004 – totally up to date
- Home windows 10 v1909 – totally up to date
- Home windows 10 v1809 – totally up to date
- Home windows 10 v1803 – totally up to date
- Home windows 7 – no ESU, ESU1, ESU2, ESU3
- Home windows Server 2022 – totally up to date
- Home windows Server 2019 – totally up to date
- Home windows Server 2016 – totally up to date
- Home windows Server 2012 – no ESU, ESU1
- Home windows Server 2012 R2 – no ESU, ESU1
- Home windows Server 2008 R2 – no ESU, ESU1, ESU2, ESU3, ESU4
“Since it is a ‘0day’ vulnerability with no official vendor repair accessible, we’re offering our micropatches free of charge till such repair turns into accessible,” Kolsek stated.
To put in the required patches in your Home windows system, create a 0patch account and set up the 0patch agent on the gadget.
As soon as you have launched the agent, the micropatch shall be utilized robotically with out requiring a system restart, offered there isn’t any customized patching coverage in place to dam it.