The Eventlogcrasher Vulnerability Discovered in Windows
A new Windows vulnerability called the Eventlogcrasher has been found, allowing attackers to remotely disable the Event magazine on devices within a Windows domain. The attacker simply needs a network connection to the target device and any actual accounting data, even with low privileges.
This vulnerability affects all versions of Windows, from Windows 7 to the latest Windows 11, as well as Server 2008 R2 to Server 2022. The discovery of this vulnerability is credited to a security researcher known as Florian, who reported it to the Microsoft Security Response Center (MSRC). Florian has also published evidence of the concept attack, also known as Proof-of-Concept (PoC). Microsoft has acknowledged the issue but stated that it does not meet the requirements for elimination and is a duplicate of a vulnerability discovered in 2022, without providing further details.
Another similar vulnerability called Logcrusher, which was revealed by Varonis in 2022, has not yet been addressed. It allows any domain user to remotely cause a fault in the application journal on any Windows computer.
According to Florian, the failure occurs in WeVTSVC! Verifyunicodestring when an attacker sends an incorrect UNICODE_STRIGHT object to the Elfrregistereventsource. This is available through RPC-based remote interaction (Remote Procedure Call).
The consequences of the Eventlogcrasher vulnerability are severe as it directly impacts the Security Information and Event Management (SIEM) systems and Intrusion Detection Systems (IDS). These systems will not be able to receive new events to trigger security alarms.
Fortunately, security events and systems are queued in memory and will be added to the events once the magazine service becomes available again. However, events in the queue may not be restored if the line becomes full or if the attacked system is turned off.
The 0patch Micropathic Service has noted that an attacker with low privileges can disable the journal service on both the local machine and any other Windows computer on the network where authentication is possible. In a Windows domain, this includes all domain computers, including domain controllers. During the downtime, any detection mechanisms relying on Windows journals will be blind, allowing the attacker to carry out further attacks such as password harvesting and remote service operation.