skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
Vulnerabilities Identified in Windows Driver Clipsp.sys

Vulnerabilities Identified in Windows Driver Clipsp.sys

/ 3 min read

stories , cybersecurity , vulnerabilities , cisco talos , windows , driver exploitation

Quick take - Cisco Talos has discovered multiple vulnerabilities in the Windows driver clipsp.sys, essential for the Client Licensing Platform on Windows 10 and 11, which pose significant security risks due to the driver’s obfuscation and include critical issues such as signature bypass and elevation of privileges.

Fast Facts

  • Cisco Talos identified multiple vulnerabilities in the Windows driver clipsp.sys, crucial for the Client Licensing Platform on Windows 10 and 11, including signature bypass and privilege escalation.
  • The vulnerabilities are complicated by the driver’s obfuscation and lack of publicly available debug symbols, making security assessments challenging.
  • Key vulnerabilities are cataloged under identifiers such as TALOS-2024-1964 (CVE-2024-38184) and TALOS-2024-1965 (CVE-2024-38185), among others.
  • The findings were presented at HITCON and Hexacon conferences, emphasizing the importance of robust security research in the context of obfuscated code.
  • The obfuscation and complexity of the clipsp.sys driver highlight significant risks in software development practices, necessitating thorough security research.

Cisco Talos Identifies Vulnerabilities in Windows Driver Clipsp.sys

Cisco Talos has identified multiple vulnerabilities in the Windows driver clipsp.sys, which is integral to the Client Licensing Platform (CLiP) on Windows 10 and 11. ClipSp plays a crucial role in managing licensing features and system policies. The vulnerabilities present significant security challenges due to the driver’s obfuscation and lack of publicly available debug symbols.

Identified Vulnerabilities

The identified vulnerabilities include critical issues such as signature bypass, elevation of privileges, and sandbox escape. Cisco Talos cataloged these vulnerabilities under several identifiers, including:

  • TALOS-2024-1964 (CVE-2024-38184)
  • TALOS-2024-1965 (CVE-2024-38185)
  • TALOS-2024-1966 (CVE-2024-38186)
  • TALOS-2024-1968 (CVE-2024-38062)
  • TALOS-2024-1969 (CVE-2024-38187)
  • TALOS-2024-1970 (CVE-2024-38062)
  • TALOS-2024-1971 (CVE-2024-38062)
  • TALOS-2024-1988 (CVE-2024-38062)

The findings were presented at the HITCON and Hexacon conferences, drawing attention to the importance of robust security research, especially in the context of obfuscated code.

Challenges in Security Assessment

ClipSp handles licensing for Windows applications and activation services. It utilizes Microsoft’s proprietary Warbird obfuscator, a technique not commonly seen in Microsoft binaries. This obfuscation contributes to the complexity of security assessments, as security researchers faced challenges in analyzing the driver due to its obfuscation. Limited previous research often drew on older versions of the driver.

The analysis involved a deobfuscation process using the Qiling binary emulation framework. The function ClipSpInitialize allows other drivers to invoke functionalities of ClipSp. Interactions with its functions typically require calls to NtQuerySystemInformation with the SystemPolicy class.

Implications of Vulnerabilities

ClipSp manages license files critical for Windows activation and cryptographic material provisioning. These files are stored in a tag-length-value (TLV) format in the Windows registry, with access restricted to the SYSTEM user. The driver includes hardcoded public keys for license signature verification, and vulnerabilities have been discovered that allow attackers to bypass signature checks. This bypass occurs if data follows the license signature during parsing.

Several out-of-bounds read vulnerabilities were identified, stemming from incorrect assumptions regarding the size of data in license blobs. Such vulnerabilities could potentially lead to out-of-bounds write vulnerabilities, which is particularly concerning during hardware license installations. The obfuscation of ClipSp code may further obscure these vulnerabilities, complicating detection and remediation efforts.

These findings underscore the critical need for thorough security research into software. Even when obfuscation techniques are employed, potential risks are highlighted, presenting significant challenges in software development.

Original Source: Read the Full Article Here

Check out what's latest

Research Paper Introduces Methodology for Identifying Software Vulnerabilities
Research Paper Introduces Methodology for Identifying Software Vulnerabilities
Open-Source Software Vulnerability Management and New Solution llmda
Open-Source Software Vulnerability Management and New Solution llmda
Study Reveals New Method for Backdoor Attacks on DNNs
Study Reveals New Method for Backdoor Attacks on DNNs