Security
Headlines
HeadlinesLatestCVEs

Headline

Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog

Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS). The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol (MS-EVEN), which enables remote access to event logs.

While the former allows "any domain user to remotely

The Hacker News
#vulnerability#mac#windows#microsoft#dos#The Hacker News

Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS).

The exploits, dubbed LogCrusher and OverLog by Varonis, take aim at the EventLog Remoting Protocol (MS-EVEN), which enables remote access to event logs.

While the former allows “any domain user to remotely crash the Event Log application of any Windows machine,” OverLog causes a DoS by “filling the hard drive space of any Windows machine on the domain,” Dolev Taler said in a report shared with The Hacker News.

OverLog has been assigned the CVE identifier CVE-2022-37981 (CVSS score: 4.3) and was addressed by Microsoft as part of its October Patch Tuesday updates. LogCrusher, however, remains unresolved.

“The performance can be interrupted and/or reduced, but the attacker cannot fully deny service,” the tech giant said in an advisory for the flaw released earlier this month.

The issues, according to Varonis, bank on the fact that an attacker can obtain a handle to the legacy Internet Explorer log, effectively setting the stage for attacks that leverage the handle to crash the Event Log on the victim machine and even induce a DoS condition.

This is achieved by combining it with another flaw in a log backup function (BackupEventLogW) to repeatedly backup arbitrary logs to a writable folder on the targeted host until the hard drive gets filled.

Microsoft has since remediated the OverLog flaw by restricting access to the Internet Explorer Event Log to local administrators, thereby reducing the potential for misuse.

“While this addresses this particular set of Internet Explorer Event Log exploits, there remains potential for other user-accessible application Event Logs to be similarly leveraged for attacks,” Taler said.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related news

CVE-2022-45103: DSA-2022-340: Dell Unisphere for PowerMax, Dell Unisphere for PowerMax vApp, Dell Solutions Enabler vApp, Dell Unisphere 360, Dell VASA Provider vApp, and Dell PowerMax EMB Mgmt Security Update for Mu

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain an information disclosure vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to read arbitrary files on the underlying file system.

CVE-2022-37981

Windows Event Logging Service Denial of Service Vulnerability.

The Hacker News: Latest News

Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign