CylancePROTECT® Vulnerability Disclosures and Policies

Cylance recently addressed two vulnerabilities within the CylancePROTECT® product line. One vulnerability could have resulted in a local privilege escalation, while the other was a basic best-practices fix.


Local Privilege Escalation: The first issue is a local privilege escalation vulnerability that was fixed in version 1470. An attacker would exploit this vulnerability by creating a link in the log directory pointing to a file the attacker would like to overwrite. Next, the attacker would trigger an update event causing the agent to change permissions on the file as SYSTEM to full access for everyone.

Finally, the attacker would overwrite the target file with arbitrary data. One such target would be an executable that is routinely executed with SYSTEM level privileges such as a service. The impact of this vulnerability is that an attacker could escalate privileges to SYSTEM. There have been no known instances of this vulnerability being exploited in the wild. Cylance would like to thank Ryan Hanson from Atredis Partners for participating in coordinated disclosure.

SSL Validation Issue: The second issue is a best practices vulnerability fixed in 1480. An attacker could exploit this vulnerability by first launching a man-in-the-middle attack. Once executed, the attacker would send data as the Cylance server to the endpoint. The Cylance endpoint would accept the data and begin downloading a file due to an issue with certificate parsing.

Once downloaded, the Cylance agent would perform a more robust signature check on the download. This more robust signature checking would then fail, causing CylancePROTECT to delete the downloaded file. There is no known security impact from this vulnerability. There have been no known instances of this vulnerability being exploited in the wild. Cylance would like to thank Tenable for coordinated disclosure of this vulnerability. This issue has been resolved in CylancePROTECT version 1480.

Committed (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by The Cylance Team. Read the original post at: