Full Report
By Philippe LaulheretClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems.Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:TALOS-2024-1964 (CVE-2024-38184)TALOS-2024-1965 (CVE-2024-38185)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Windows ClipSP Driver (Elevation of Privilege, Sandbox Escape)
## CVE Details
- CVE ID: CVE-2024-38184, CVE-2024-38185, CVE-2024-38186, CVE-2024-38062, CVE-2024-38187 (Note: The article lists four reports referencing CVE-2024-38062. Specific severity for all eight is not provided, but the context implies High severity due to EoP and sandbox escape.)
- CVSS Score: Not explicitly listed, but implies High severity based on impact.
- CWE: Various (e.g., Buffer Errors, Logic Errors leading to EoP/Sandbox Escape).
## Affected Systems
- Products: Microsoft Windows (Specifically Windows 10 and Windows 11 operating systems utilizing the `clipsp.sys` driver).
- Versions: Specific vulnerable versions are not detailed, but impact affects systems running the affected `clipsp.sys` component.
- Configurations: Issues appear related to how the driver handles client licensing and system policies, particularly when interacting via `NtQuerySystemInformation` or internal licensing logic.
## Vulnerability Description
The vulnerabilities reside within `clipsp.sys` (Client Licensing Platform driver), which is obfuscated (using Warbird obfuscator) and responsible for licensing and system policies. Security researchers deobfuscated the driver and found eight distinct security flaws.
Key technical findings mentioned include:
1. **Out-of-Bounds (OOB) Reads and Writes:** Specific functions like `get_DeviceIDSize` are susceptible to OOB reads because they only check one byte of required data structure length, leading to reading beyond intended boundaries.
2. **Race Condition leading to OOB Write:** An OOB-read scenario was leveraged where a variable describing the size of a DeviceID object could be manipulated between two function calls (`get_DeviceIDSize` used for an allocation, and then used in a `memcpy`), leading to an exploitable OOB Write condition if a race condition is won and heap memory is properly shaped.
3. **General logic flaws/memory corruption:** Other vulnerabilities include signature bypass, elevation of privileges (EoP), and sandbox escape.
The driver is usually interacted with via `ntoskrnl.exe` calling `NtQuerySystemInformation` with the `SystemPolicy` class.
## Exploitation
- Status: Implied to be capable of exploitation leading to EoP and Sandbox Escape. PoC availability is not explicitly stated but research success implies feasibility.
- Complexity: Exploiting the OOB-write resulting from the race condition is described as "far from trivial," requiring heap shaping. Other vulnerabilities may be simpler.
- Attack Vector: Local (Requires access to the system to call the necessary kernel functions).
## Impact
- Confidentiality: High (Implied, potentially leading to information disclosure via OOB reads).
- Integrity: High (Directly involved in EoP/Sandbox Escape scenarios).
- Availability: High (Potential for denial of service via driver instability).
## Remediation
### Patches
- Specific patch versions are not listed in the source text. Users must consult Microsoft security advisories corresponding to the CVEs listed. Updates addressing CVE-2024-38184 through CVE-2024-38062 should be applied.
### Workarounds
- No specific workarounds are detailed in the provided summary text, though disabling the functionality related to ClipSp licensing might theoretically mitigate risks if possible, but this is not confirmed as a supported workaround.
## Detection
- **Indicators of Compromise:** Exploitation would likely manifest as rapid, unusual privilege escalation, system instability, or memory corruption detected within kernel space operations related to system information queries.
- **Detection methods and tools:** Detecting proactive exploitation of these flaws may be challenging due to the driver's obfuscation. Traditional kernel monitoring tools capable of tracking suspicious calls to `NtQuerySystemInformation` with the `SystemPolicy` class, or monitoring anomalous heap manipulation adjacent to known license blob allocations, could be relevant post-patch.
## References
- Cisco Talos Intelligence Reports:
- [TALOS-2024-1964](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1964)
- [TALOS-2024-1965](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1965)
- [TALOS-2024-1966](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1966)
- [TALOS-2024-1968](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1968)
- [TALOS-2024-1969](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1969)
- [TALOS-2024-1970](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1970)
- [TALOS-2024-1971](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1971)
- [TALOS-2024-1988](def:https://talosintelligence.com/vulnerability_reports/TALOS-2024-1988)
- Related External Research (Historical Context/Deobfuscation):
- [https://github.com/KiFilterFiberContext/windows-software-policy](def:https://github.com/KiFilterFiberContext/windows-software-policy)
- [https://massgrave.dev/blog/keyhole](def:https://massgrave.dev/blog/keyhole)