- Researcher Chaotic Eclipse discloses new Windows 11 zero‑day affecting the Cloud Filter driver
- MiniPlasma, originally tracked as CVE‑2020‑17103, was reported years ago but remains exploitable despite prior patch attempts
- It is the sixth vulnerability leaked by the researcher, highlighting ongoing disputes with Microsoft’s handling of bug reports
Threat actors could escalate privileges and gain SYSTEM access on a fully patched Windows 11 device thanks to an unpatched vulnerability which allegedly should have been fixed years ago, new reports have claimed.
A researcher with the alias Chaotic Eclipse recently disclosed a Proof-of-Concept (PoC) exploit for a zero-day vulnerability they named “MiniPlasma”. In a new GitHub entry, the researcher said the bug impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine.
They said Google’s Project Zero reported the issue to Microsoft back in December 2020, who even patched it at some point in the meantime. However, for reasons unknown, the vulnerability can now be exploited. They speculate that the patch was either poorly done, or rolled back.
Chaotic Eclipse
"After investigating, it turns out the exact same issue that was reported to Microsoft by Google project zero is actually still present, unpatched," Chaotic Eclipse said. "I'm unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point for unknown reasons. The original PoC by Google worked without any changes."
The vulnerability, tracked as CVE-2020-17103, was tested by researchers at BleepingComputer, as well as by independent researcher Will Dormann, of Tharros, and both have confirmed that it works. Dormann did stress that the bug doesn’t work in the latest Windows 11 Insider Preview Canary build.
For weeks now, Chaotic Eclipse has been steadily disclosing different vulnerabilities affecting fully patched Windows 11 machines. Apparently, they are unsatisfied with how Microsoft handles bug reports. So far, they’ve leaked five vulnerabilities, called RedSun, UnDefend, BlueHammer, YellowKey and GreenPlasma. RedSun was allegedly patched quietly in the meantime.
With MiniPlasma, the total number is now six, and it’s safe to assume there will be more.
"Normally, I would go through the process of begging them to fix a bug but to summarize, I was told personally by them that they will ruin my life and they did and I'm not sure if I was the only who had this horride experience or few people did but I think most would just eat it and cut their losses but for me, they took away everything," the researcher said.
"They mopped the floor with me and pulled every childish game they could. It was soo bad at some point I was wondering if I was dealing with a massive corporation or someone who is just having fun seeing me suffer but it seems to be a collective decision."
