Windows 11 Privilege Escalation Vulnerability Lets Attackers Execute Code to Gain Access

Microsoft has swiftly addressed a critical security vulnerability affecting Windows 11 (version 23H2), which could allow local attackers to escalate privileges to the SYSTEM level.

Security researcher Alex Birnberg showcased the exploit during the renowned TyphoonPWN 2024 cybersecurity competition, securing third place for his demonstration of the flaw.

TyphoonPWN, one of the premier cybersecurity competitions, brings together security researchers from around the globe to expose vulnerabilities in widely used software.

Alex Birnberg’s successful demonstration of CVE-2024-30085 highlights the importance of such events in uncovering and addressing serious security flaws.

Details of the Vulnerability

The vulnerability, officially tracked as CVE-2024-30085, resides in the Cloud Files Mini Filter Driver (cldflt.sys).

The issue stems from improper validation of user-supplied data when parsing reparse points.

Specifically, the driver fails to validate the size of the data before copying it to a fixed-length heap-based buffer.

By exploiting this, an attacker could leverage the vulnerability to overwrite memory and execute code in the context of System, granting them elevated privileges.

In Windows 11, version 23H2, attackers must first gain the ability to execute low-privileged code on the targeted system to exploit this flaw, significantly escalating the risk in environments where users already have limited system access.

Independent security researchers analyzed the vulnerability in detail, identifying its root cause in the function HsmIBitmapNORMALOpen in the Windows Cloud Files Mini Filter Driver.

The improper handling of reparse point bitmaps allows attackers to bypass crucial checks and introduce malicious data into the system’s memory.

The flaw occurs in scenarios where the length verification of reparse data is skipped under specific conditions during file operations. This improper handling can be exploited to overwrite memory, leading to privilege escalation.

The exploit, demonstrated at TyphoonPWN 2024, involved creating a carefully crafted reparse point to exploit the vulnerable function and achieve SYSTEM-level privileges.

The demonstration earned Alex Birnberg third place in the competition, highlighting the creativity and technical depth of his analysis.

Best Practices:

• Restrict administrative access to trusted users.
• Regularly update all Windows systems with the latest patches.
• Monitor system activity for unusual behavior, especially around file operations and reparse points.
• Employ intrusion detection systems (IDS) to monitor for signs of exploits.

Organizations should also audit their use of the Cloud Files Mini Filter Driver and ensure that external access to systems requiring elevated privileges is minimized.

This recent discovery underscores the critical importance of proactive cybersecurity practices. Microsoft’s swift response in patching the vulnerability reflects the industry’s commitment to safeguarding users. All affected users should prioritize system updates to ensure their devices remain secure from this and other vulnerabilities.

Following the disclosure by Birnberg, Microsoft promptly released a patch to mitigate the vulnerability. Users are strongly urged to update their systems by applying the latest security update via the official Microsoft Update Guide:

Users are advised to immediately install the recent Windows update, which contains the patch for CVE-2024-30085.