In a recent discovery, cybersecurity researchers have identified a critical zero-day vulnerability posing a significant threat to the Windows Event Log service. This flaw, when exploited, has the potential to crash the service on all supported versions of Windows, including some legacy systems, raising concerns among enterprise defenders.
Discovered by security researcher Florian and reported to Microsoft, the zero-day vulnerability is currently without a patch. The Windows Event Log service plays a pivotal role in monitoring and recording system events, providing essential information for system administrators and security professionals. The exploitation of this vulnerability could result in widespread disruption of critical logging functions, hindering the ability to track and analyze system activities.
In PoC testing, the team discovered that the Windows Event Log service restarts after two crashes, but if it experiences a third crash, it remains inactive for a period of 24 hours. This extended downtime poses a considerable risk, as many security controls rely on the consistent functioning of the Event Log service. The fallout includes compromised security controls and non-operational security control products. This vulnerability allows attackers to exploit known vulnerabilities or launch attacks without triggering alerts, granting them the ability to act undetected, as outlined in the blog.
During the period when the service is down, detection mechanisms dependent on Windows logs will be incapacitated. This grants the attacker the freedom to conduct additional attacks, including activities like password brute-forcing, exploiting remote services with potentially destabilizing exploits, or executing common attacker tactics such as running the "whoami" command, all without attracting attention.
While the vulnerability is easily exploitable locally, a remote attacker aiming to utilize the PoC must establish an SMB connection and authenticate to the target computer. Configuring Windows to prevent this attack without completely disabling SMB poses a challenge, given its role in various network functionalities like shares and printers, according to Kolsek. Internet-facing Windows systems are unlikely to have open SMB connectivity, reducing the likelihood of remote exploitation.
The vulnerability proves advantageous for an attacker already present in the local network, especially if they have gained access to a low-privileged user's workstation. As a temporary solution until Microsoft issues a patch, users can apply a micro patch provided by Acros through the 0patch agent, tailored for multiple Windows releases and server versions. This helps mitigate potential real-time detection issues linked to the Event Log service's disablement.
