AshES Cybersecurity has disclosed a extreme zero-day vulnerability in Elastic’s Endpoint Detection and Response (EDR) software program that transforms the safety instrument right into a weapon towards the programs it’s designed to guard.
The flaw, discovered within the Microsoft-signed kernel driver “elastic-endpoint-driver.sys,” permits attackers to bypass safety measures, execute malicious code, and crash protected programs repeatedly.
Regardless of a number of disclosure makes an attempt by way of official channels since June 2024, the vulnerability stays unpatched, prompting the safety agency to go public with their findings.
The vulnerability represents a nightmare situation for enterprise cybersecurity, the place trusted safety software program turns into the very instrument used to compromise programs.
The zero-day impacts Elastic’s kernel driver by way of a NULL pointer dereference flaw (CWE-476), occurring when user-controllable pointers are handed into kernel capabilities with out correct validation.
Based on AshES Cybersecurity’s technical evaluation, the vulnerability permits a devastating four-step assault chain:
- EDR Bypass: Attackers can circumvent Elastic’s safety options utilizing a customized C-based loader.
- Distant Code Execution: They acquire code execution capabilities with minimal detection danger.
- Persistence: They set up long-term entry by planting a customized kernel driver that interacts with the susceptible Elastic element.
- Privileged Denial-of-Service: They will set off repeated system crashes, rendering protected programs unusable.
The flaw happens at a selected offset inside the driver the place the instruction “name cs:InsertKernelFunction” executes with a register dereferencing a user-controlled pointer. When this pointer is NULL, freed, or corrupted, the kernel routine crashes with out validation, ensuing within the dreaded Blue Display of Loss of life (BSOD).
Most regarding is that this susceptible code path could be triggered throughout regular system operations, together with compilation duties or course of injection makes an attempt.
PoC Exhibits Actual-World Impression
AshES Cybersecurity developed a complete proof-of-concept demonstration utilizing customized executable and driver information to indicate the vulnerability’s reproducibility underneath reasonable circumstances.
Their analysis loader performs EDR bypass, masses a customized driver, configures persistence for system reboots, after which restarts the goal system.
The accompanying customized driver interacts with the susceptible Elastic element, inflicting the safety software program to exhibit malware-like conduct and crash the system on each subsequent boot.
The implications prolong far past technical demonstration. Each group working Elastic’s safety options successfully harbors a possible weapon inside their trusted defenses.
Adversaries might exploit this flaw to remotely disable enterprise endpoints protected by Elastic, creating widespread operational disruption.
The vulnerability undermines basic belief in signed kernel drivers and raises critical questions on safety vendor accountability.
The disclosure timeline highlights regarding gaps in vulnerability response processes. AshES Cybersecurity found the flaw on June 2nd, 2024, and tried accountable disclosure by way of HackerOne on June eleventh.
After receiving no satisfactory response, they tried the Zero Day Initiative (ZDI) on July twenty ninth. Lastly, on August sixteenth, they proceeded with impartial public disclosure.
The affected product, elastic-endpoint-driver.sys model 8.17.6, stays susceptible with no patch accessible.
The motive force bears Microsoft Home windows {Hardware} Compatibility Writer signatures from Elasticsearch, Inc., emphasizing how trusted, signed elements can develop into safety liabilities.
AshES Cybersecurity, mockingly a paying buyer of Elasticsearch who selected the EDR as their trusted safety answer, found the vulnerability throughout official user-mode testing operations of their analysis surroundings.
Their findings underscore a harsh actuality: when safety software program could be weaponized towards its host system, the road between defender and attacker turns into dangerously blurred.
Indicators of Compromise(IOCs)
| Indicator Sort | Worth |
|---|---|
| File Identify | elastic-endpoint-driver.sys |
| SHA-256 Hash | A6B000E84CB68C5096C0FD73AF9CEF2372ABD591EC973A969F58A81CF1141337 |
AWS Safety Companies: 10-Level Government Guidelines - Obtain for Free
