Critical Zero-day Vulnerability in Elastic EDR

Recently, AshES Cybersecurity announced a new critical zero-day vulnerability in the Elastic Endpoint Detection and Response (EDR) software, turning this security tool into a weapon for malware attacks and causing Blue Screen of Death (BSOD) on systems with Elastic EDR installed.

Vulnerability Information

The zero-day vulnerability was found in elastic-endpoint-driver.sys - an Elastic kernel driver signed by Microsoft. Under certain conditions, this driver can mishandle memory operations within privileged kernel functions, allowing attackers to bypass security measures, execute malicious code, and cause system crashes on installed systems.

Specifically, when the cs:InsertKernelFunction attribute in elastic-endpoint-driver.sys is called and executed with rcx referencing a user-controlled pointer, it can result in a NULL pointer dereference (CWE-476) if the pointer is NULL, freed, or corrupted due to a race condition on the system. This prevents proper validation of the input data, leading to a BSOD on the system.

Four steps that attackers can use in practice, causing significant damage to any organization using Elastic EDR systems:

• Step 1: Bypass EDR - A custom loader written in the C programming language can help attackers easily disable Elastic Agent and Elastic Defend.

• Step 2: Remote Code Execution - Once the EDR tool is bypassed, attackers can use the low privileges gained on the victim's machine to execute remote code without any hindrance.

• Step 3: Establish Long-term Control - By installing a custom kernel driver, attackers can gain control and establish long-term presence on the affected system by exploiting the vulnerability in elastic-endpoint-driver.sys.

• Step 4: Denial-of-Service Attack - Attackers can disable the target system's functionality, repeatedly causing system crashes, leading to BSOD each time the system restarts. This renders the system's security measures ineffective.

Mitigation & Recommendations

The consequences of this vulnerability are extremely serious. For organizations and businesses using Elastic SIEM and Elastic EDR, this could be a potential threat within their internal systems. Attackers can exploit this vulnerability, causing economic and reputational damage to the business, while also disabling the EDR system, increasing the risk of facing dangerous malware and ransomware.

The FPT Threat Intelligence team recommends users take the following actions to minimize the impact on their systems:

1. Stay updated on patch information: Currently, there is no official announcement about a patch for this vulnerability. Users need to continuously update themselves with official information from Elastic and Microsoft about the patch and install it as soon as it is released.

2. Temporarily reduce risk: Limit the use of Elastic EDR on critical systems until a patch is available, or combine it with other security tools to enhance protection.

3. Enhance monitoring: Closely monitor the activities of elastic-endpoint-driver.sys and processes interacting with it to detect unusual behaviors such as system freezes or automatic reboots, as these could be signs of the vulnerability being exploited.

4. Prepare a response plan: Have a plan ready to handle system disruptions due to attacks to minimize damage.

IOC

References

1. 0-Day Research - Ashes Cybersecurity