Enterprise search and security company Elastic is rejecting reports of a zero-day vulnerability impacting its Defend endpoint detection and response (EDR) product.
The company’s statement follows a blog post from a company called AshES Cybersecurity claiming to have discovered a remote code execution (RCE) flaw in Elastic Defend that would allow an attacker to bypass EDR protections.
Elastic’s Security Engineering team “conducted a thorough investigation” but could not find “evidence supporting the claims of a vulnerability that bypasses EDR monitoring and enables remote code execution.”
Under zero day claims, which is a heading, it gets more interesting.
The article says:
According to AshES Cybersecurity’s write-up from August 16, a NULL pointer dereference flaw in Elastic Defender’s kernel driver, ‘elastic-endpoint-driver.sys’ could be weaponized to bypass EDR monitoring, enable remote code execution with reduced visibility, and establish persistence on the system.
“For proof-of-concept demonstration, I used a custom driver to reliably trigger the flaw under controlled conditions,” the AshES Cybersecurity researcher says.
The article continues:
To show the validity of the finding, the company published two videos, one showing Windows crashing because Elastic’s driver failed, and another showing the alleged exploit starting calc.exe without Elastic’s Defend EDR taking action.
“The Elastic driver 0-day is not just a stability bug. It enables a full attack chain that adversaries can exploit inside real environments,” the researcher claims.
They claim under the heading of the rejection that the researchers didn’t give them enough info, and the researchers published their findings without proper disclosure.
The article says:
After evaluating AshES Cybersecurity’s claims and reports, Elastic was not able to reproduce the vulnerability and its effects.
Furthermore, Elastic says that the multiple reports it received from AshES Cybersecurity for the alleged zero-day bug “lacked evidence of reproducible exploits.”
AshES disclosed nothing to the POC to the company or its affiliates.
If there was a proof of concept, the researchers should share that so the company can fix it. The researchers are neglegent and should be ashamed of themselves. I guess we’ll never know if there is a zero-day in the software.
The article says:
Elastic says that the researcher did not share the full details for the vulnerability and instead decided to make their claims public instead of following the principles of coordinated disclosure.
Elastic has paid bounties so this means that they’re serious. The final paragraph says
Elastic reaffirmed that they take all security reports seriously and, starting 2017, paid more than $600,000 to researchers through the company’s bug bounty program.
If this is the case, I’d say they tried, but without a PoC, its hard to verify.
Elastic rejects claims of a zero-day RCE flaw in Defend EDR is the article.
The fact that whatever this is could have been an RCE should be disclosed. These researchers should do better.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.