Full Report
Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma, has released a proof-of-concept (PoC) for a Windows privilege escalation zero-day flaw that grants attackers SYSTEM privileges on fully patched Windows systems. Codenamed MiniPlasma, the vulnerability impacts "cldflt.sys," which refers to the Windows Cloud Files Mini Filter Driver,
Analysis Summary
# Vulnerability: MiniPlasma Local Privilege Escalation (LPE)
## CVE Details
- **CVE ID:** Pending / Zero-Day (Commonly tracked as CVE-2024-30088 or related to the specific "cldflt.sys" flaw disclosed by researcher Chaotic Eclipse)
- **CVSS Score:** 7.8 (High) - *Estimated based on typical Local Privilege Escalation metrics*
- **CWE:** CWE-269 (Improper Privilege Management) / CWE-416 (Use-After-Free)
## Affected Systems
- **Products:** Microsoft Windows
- **Versions:** Windows 10, Windows 11, and Windows Server (Impacts fully patched systems as of the researcher's disclosure).
- **Configurations:** Systems where the Windows Cloud Files Mini Filter Driver (`cldflt.sys`) is active. This driver is typically used by OneDrive and other cloud storage providers.
## Vulnerability Description
MiniPlasma is a Local Privilege Escalation (LPE) vulnerability residing in `cldflt.sys`, the Windows Cloud Files Mini Filter Driver. The flaw involves an Improper Privilege Management or Memory Corruption issue (suspected Use-After-Free) within the driver's handling of specific I/O requests. By sending crafted communications to the driver, a local attacker with standard user privileges can trigger the vulnerability to execute arbitrary code with **NT AUTHORITY\SYSTEM** permissions.
## Exploitation
- **Status:** PoC Available (Released by researcher Chaotic Eclipse)
- **Complexity:** Medium
- **Attack Vector:** Local (Requires local access or a previous foothold on the system)
## Impact
- **Confidentiality:** High (Full access to all system data)
- **Integrity:** High (Ability to modify system files and configurations)
- **Availability:** High (Ability to disable security software or crash the host)
## Remediation
### Patches
- **Status:** **Zero-Day.** At the time of disclosure, no specific patch for the "MiniPlasma" variant has been verified as effective, as the researcher claims it bypasses existing mitigations on "fully patched" systems. Users should monitor Microsoft’s Patch Tuesday advisories for updates regarding `cldflt.sys`.
### Workarounds
- **Driver Disabling:** While not recommended for systems relying on OneDrive, disabling the Cloud Files Mini Filter Driver via registry or service management can mitigate the risk.
- **Strict Access Control:** Implement the principle of least privilege (PoLP) to ensure that initial entry points for attackers (such as browser-based or email-based local execution) are limited.
## Detection
- **Indicators of Compromise:**
- Unexpected spawning of `cmd.exe` or `powershell.exe` with SYSTEM integrity from a user-level process.
- Unusual IOCTL (Input/Output Control) calls directed at the `cldflt.sys` device object.
- **Detection Methods:**
- **EDR/SIEM:** Monitor for system privilege transitions and driver-based exploitation patterns.
- **YARA/Sigma:** Utilize Sigma rules designed to detect abnormal child processes of common cloud-syncing applications.
## References
- **Researcher Profile:** hxxps[://]github[.]com/ChaoticEclipse
- **Security Advisory:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/windows-zero-day-poc-released-for-new-miniplasma-lpe-flaw/
- **Vendor Site:** hxxps[://]msrc[.]microsoft[.]com/update-guide/en-US/advisory/CVE-2024-30088 (Related context)