Elastic on Monday refuted claims that its Defend EDR product is affected by a “zero-day vulnerability”.
The company’s reaction was triggered by an August 16 blog post from Ashes Cybersecurity, which claims that a signed Elastic kernel driver mishandles memory operations under certain conditions, causing a system crash that could be repeatedly triggered.
“The flaw occurs in a code path where a user-mode controllable pointer is passed into a kernel function without proper validation,” Ashes says, explaining that the issue leads to a null pointer dereference.
“This vulnerable code path can be exercised during normal system activity, such as specific compilation or process injection attempts. When the driver mishandles the memory pointer, it can be forced into a kernel-level crash,” Ashes says.
In a technical writeup, the company explains that Elastic’s EDR can be bypassed using its custom C-based loader to execute arbitrary code on the system.
This would allow an attacker to plant a custom kernel driver that could interact with Elastic’s kernel driver and trigger the flaw to turn the legitimate driver into a malicious tool.
“For proof-of-concept demonstration, I used a custom driver to reliably trigger the flaw under controlled conditions. This shows that the vulnerability does not rely on traditional malware, the Elastic driver itself exhibits the malicious behavior once the faulty code path is reached,” Ashes notes.
Responding to Ashes’ post, Elastic said its investigation into the claims found no evidence that a vulnerability in Defend EDR could lead to detection bypass and remote code execution (RCE).
“While the researcher claims to be able to trigger a crash/BSOD in the Elastic Endpoint driver from an unprivileged process, the only demonstration they have provided does so from another kernel driver,” Elastic notes.
Elastic said the researcher submitted multiple reports regarding the potential bypass and RCE, but that these reports contained no evidence or reproducible exploits. It added that the researcher refused to provide a proof-of-concept (PoC) exploit that its security team could reproduce.
“By not sharing full details and publicly posting, the conduct of this security researcher is contrary to the principles of coordinated disclosure,” Elastic says.
In response to Elastic’s rejection, Ashes updated its post with alleged evidence of user-mode crash, which Elastic was quick to refute as well.
“Elastic has reviewed additional evidence shared in a blog post on August 19th. Our prior assessment stands. For users of Elastic Defend, no action is required,” the company said.
Related: SonicWall Says Recent Attacks Don’t Involve Zero-Day Vulnerability
Related: O2 Service Vulnerability Exposed User Location
Related: Doctor Web Refutes Hackers’ Claims of User Data Theft
Related: Amnesty International Canada Says It Was Hacked by Beijing
