AshES Cybersecurity has disclosed a severe zero-day vulnerability in Elastic’s Endpoint Detection and Response (EDR) software that transforms the security tool into a weapon against the systems it’s designed to protect.
The flaw, found in the Microsoft-signed kernel driver “elastic-endpoint-driver.sys,” enables attackers to bypass security measures, execute malicious code, and crash protected systems repeatedly.
Despite multiple disclosure attempts through official channels since June 2024, the vulnerability remains unpatched, prompting the security firm to go public with their findings.
The vulnerability represents a nightmare scenario for enterprise cybersecurity, where trusted security software becomes the very tool used to compromise systems.
The zero-day affects Elastic’s kernel driver through a NULL pointer dereference flaw (CWE-476), occurring when user-controllable pointers are passed into kernel functions without proper validation.
According to AshES Cybersecurity’s technical analysis, the vulnerability enables a devastating four-step attack chain:
- EDR Bypass: Attackers can circumvent Elastic’s security solutions using a custom C-based loader.
- Remote Code Execution: They gain code execution capabilities with minimal detection risk.
- Persistence: They establish long-term access by planting a custom kernel driver that interacts with the vulnerable Elastic component.
- Privileged Denial-of-Service: They can trigger repeated system crashes, rendering protected systems unusable.
The flaw occurs at a specific offset within the driver where the instruction “call cs:InsertKernelFunction” executes with a register dereferencing a user-controlled pointer. When this pointer is NULL, freed, or corrupted, the kernel routine crashes without validation, resulting in the dreaded Blue Screen of Death (BSOD).
Most concerning is that this vulnerable code path can be triggered during normal system operations, including compilation tasks or process injection attempts.
PoC Shows Real-World Impact
AshES Cybersecurity developed a comprehensive proof-of-concept demonstration using custom executable and driver files to show the vulnerability’s reproducibility under realistic conditions.
Their research loader performs EDR bypass, loads a custom driver, configures persistence for system reboots, and then restarts the target system.
The accompanying custom driver interacts with the vulnerable Elastic component, causing the security software to exhibit malware-like behavior and crash the system on every subsequent boot.
The implications extend far beyond technical demonstration. Every organization running Elastic’s security solutions effectively harbors a potential weapon within their trusted defenses.
Adversaries could exploit this flaw to remotely disable enterprise endpoints protected by Elastic, creating widespread operational disruption.
The vulnerability undermines fundamental trust in signed kernel drivers and raises serious questions about security vendor accountability.
The disclosure timeline highlights concerning gaps in vulnerability response processes. AshES Cybersecurity discovered the flaw on June 2nd, 2024, and attempted responsible disclosure through HackerOne on June 11th.
After receiving no adequate response, they tried the Zero Day Initiative (ZDI) on July 29th. Finally, on August 16th, they proceeded with independent public disclosure.
The affected product, elastic-endpoint-driver.sys version 8.17.6, remains vulnerable with no patch available.
The driver bears Microsoft Windows Hardware Compatibility Publisher signatures from Elasticsearch, Inc., emphasizing how trusted, signed components can become security liabilities.
AshES Cybersecurity, ironically a paying customer of Elasticsearch who chose the EDR as their trusted protection solution, discovered the vulnerability during legitimate user-mode testing operations in their research environment.
Their findings underscore a harsh reality: when security software can be weaponized against its host system, the line between defender and attacker becomes dangerously blurred.
Indicators of Compromise(IOCs)
| Indicator Type | Value |
|---|---|
| File Name | elastic-endpoint-driver.sys |
| SHA-256 Hash | A6B000E84CB68C5096C0FD73AF9CEF2372ABD591EC973A969F58A81CF1141337 |
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
