Elastic on Monday refuted claims that its Defend EDR product is affected by a “zero-day vulnerability”.
The corporate’s response was triggered by an August 16 weblog put up from Ashes Cybersecurity, which claims {that a} signed Elastic kernel driver mishandles reminiscence operations beneath sure situations, inflicting a system crash that might be repeatedly triggered.
“The flaw happens in a code path the place a user-mode controllable pointer is handed right into a kernel operate with out correct validation,” Ashes says, explaining that the problem results in a null pointer dereference.
“This susceptible code path might be exercised throughout regular system exercise, reminiscent of particular compilation or course of injection makes an attempt. When the driving force mishandles the reminiscence pointer, it may be compelled right into a kernel-level crash,” Ashes says.
In a technical writeup, the corporate explains that Elastic’s EDR might be bypassed utilizing its customized C-based loader to execute arbitrary code on the system.
This is able to permit an attacker to plant a customized kernel driver that might work together with Elastic’s kernel driver and set off the flaw to show the legit driver right into a malicious instrument.
“For proof-of-concept demonstration, I used a customized driver to reliably set off the flaw beneath managed situations. This reveals that the vulnerability doesn’t depend on conventional malware, the Elastic driver itself reveals the malicious habits as soon as the defective code path is reached,” Ashes notes.
Responding to Ashes’ put up, Elastic mentioned its investigation into the claims discovered no proof {that a} vulnerability in Defend EDR may result in detection bypass and distant code execution (RCE).Commercial. Scroll to proceed studying.
“Whereas the researcher claims to have the ability to set off a crash/BSOD within the Elastic Endpoint driver from an unprivileged course of, the one demonstration they’ve offered does so from one other kernel driver,” Elastic notes.
Elastic mentioned the researcher submitted a number of experiences concerning the potential bypass and RCE, however that these experiences contained no proof or reproducible exploits. It added that the researcher refused to offer a proof-of-concept (PoC) exploit that its safety crew may reproduce.
“By not sharing full particulars and publicly posting, the conduct of this safety researcher is opposite to the rules of coordinated disclosure,” Elastic says.
In response to Elastic’s rejection, Ashes up to date its put up with alleged proof of user-mode crash, which Elastic was fast to refute as effectively.
“Elastic has reviewed extra proof shared in a weblog put up on August nineteenth. Our prior evaluation stands. For customers of Elastic Defend, no motion is required,” the corporate mentioned.
Associated: SonicWall Says Current Assaults Don’t Contain Zero-Day Vulnerability
Associated: O2 Service Vulnerability Uncovered Consumer Location
Associated: Physician Net Refutes Hackers’ Claims of Consumer Knowledge Theft
Associated: Amnesty Worldwide Canada Says It Was Hacked by Beijing
