New Windows Event Log zero-day flaw gets unofficial patches

Free unofficial patches are available for a new Windows zero-day flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain.

This zero-day vulnerability affects all versions of Windows, from Windows 7 up to the latest Windows 11 and from Server 2008 R2 to Server 2022.

EventLogCrasher was discovered and reported to the Microsoft Security Response Center team by a security researcher known just as Florian, with Redmond tagging it as not meeting servicing requirements and saying it's a duplicate of the 2022 bug (Florian also published a proof-of-concept exploit last week).

While Microsoft didn't provide more details regarding the 2022 vulnerability, software company Varonis disclosed a similar flaw dubbed LogCrusher (also still waiting for a patch) that can be exploited by any domain user to remotely crash the Event Log service on Windows machines across the domain.

To exploit the zero-day in default Windows Firewall configurations, attackers need network connectivity to the target device and any valid credentials (even with low privileges).

Therefore, they can always crash the Event Log service locally and on all Windows computers in the same Windows domain, including domain controllers, which will let them ensure that their malicious activity will no longer be recorded in the Windows Event Log.

As Florian explains, "The crash occurs in wevtsvc!VerifyUnicodeString when an attacker sends a malformed UNICODE_STRING object to the ElfrRegisterEventSourceW method exposed by the RPC-based EventLog Remoting Protocol."

Once the Event Log service crashes, Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS) will be directly impacted as they can no longer ingest new events to trigger security alerts.

Luckily, security and system events are queued in memory and will be added to the event logs after the Event Log service becomes available again. However, such queued events may be irrecoverable if the queue gets filled or the attacked system shuts down via power-off or due to a blue screen error.

"So far we've discovered that a low-privileged attacker can crash the Event Log service both on the local machine and on any other Windows computer in the network they can authenticate to. In a Windows domain, this means all domain computers including domain controllers," said 0patch co-founder Mitja Kolsek.

"During the service downtime, any detection mechanisms ingesting Windows logs will be blind, allowing the attacker to take time for further attacks - password brute-forcing, exploiting remote services with unreliable exploits that often crash them, or running every attacker's favorite whoami - without being noticed."

Unnoficial security patches for affected Windows systems

The 0patch micropatching service released unofficial patches for most affected Windows versions on Wednesday, available for free until Microsoft releases official security updates to address the zero-day bug:

1. Windows 11 v22H2, v23H2 - fully updated
2. Windows 11 v21H2 - fully updated
3. Windows 10 v22H2 - fully updated
4. Windows 10 v21H2 - fully updated
5. Windows 10 v21H1 - fully updated
6. Windows 10 v20H2 - fully updated
7. Windows 10 v2004 - fully updated
8. Windows 10 v1909 - fully updated
9. Windows 10 v1809 - fully updated
10. Windows 10 v1803 - fully updated
11. Windows 7 - no ESU, ESU1, ESU2, ESU3
12. Windows Server 2022 - fully updated
13. Windows Server 2019 - fully updated
14. Windows Server 2016 - fully updated
15. Windows Server 2012 - no ESU, ESU1
16. Windows Server 2012 R2 - no ESU, ESU1
17. Windows Server 2008 R2 - no ESU, ESU1, ESU2, ESU3, ESU4

"Since this is a '0day' vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available," Kolsek said.

To install the necessary patches on your Windows system, create a 0patch account and install the 0patch agent on the device.

Once you've launched the agent, the micropatch will be applied automatically without requiring a system restart, provided there is no custom patching policy in place to block it.