Elastic has rejected reports of a zero-day vulnerability impacting its Defend endpoint detection and response (EDR) product. The company's statement follows a blog post from a company called AshES Cybersecurity claiming to have discovered a remote code execution (RCE) flaw in Elastic Defend that would allow an attacker to bypass EDR protections. Elastic’s Security Engineering team has reportedly "conducted a thorough investigation" but could not find "evidence supporting the claims of a vulnerability".
“The flaw occurs in a code path where a user-mode controllable pointer is passed into a kernel function without proper validation,” Ashes says, explaining that the issue leads to a null pointer dereference.
“This vulnerable code path can be exercised during normal system activity, such as specific compilation or process injection attempts. When the driver mishandles the memory pointer, it can be forced into a kernel-level crash,” Ashes says.
The company further explains that Elastic’s EDR can be bypassed using its custom C-based loader to execute arbitrary code on the system. This would allow an attacker to plant a custom kernel driver that could interact with Elastic’s kernel driver and trigger the flaw to turn the legitimate driver into a malicious tool.
However, responding to Ashes’ post, Elastic said its investigation into the claims found no evidence that a vulnerability in Defend EDR could lead to detection bypass and remote code execution (RCE).
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
