Enterprise search and security firm Elastic is rejecting studies of a zero-day vulnerability impacting its Defend endpoint detection and response (EDR) product.
The corporate’s assertion follows a weblog publish from an organization known as AshES Cybersecurity claiming to have found a distant code execution (RCE) flaw in Elastic Defend that will permit an attacker to bypass EDR protections.
Elastic’s Safety Engineering staff “carried out an intensive investigation” however couldn’t discover “proof supporting the claims of a vulnerability that bypasses EDR monitoring and permits distant code execution.”
Zero-day claims
In accordance with AshES Cybersecurity’s write-up from August 16, a NULL pointer dereference flaw in Elastic Defender’s kernel driver, ‘elastic-endpoint-driver.sys’ may very well be weaponized to bypass EDR monitoring, allow distant code execution with decreased visibility, and set up persistence on the system.
“For proof-of-concept demonstration, I used a customized driver to reliably set off the flaw below managed situations,” the AshES Cybersecurity researcher says.
To point out the validity of the discovering, the corporate revealed two movies, one displaying Home windows crashing as a result of Elastic’s driver failed, and one other displaying the alleged exploit beginning calc.exe with out Elastic’s Defend EDR taking motion.
“The Elastic driver 0-day isn’t just a stability bug. It permits a full assault chain that adversaries can exploit inside actual environments,” the researcher claims.
Elastic’s rejection
After evaluating AshES Cybersecurity’s claims and studies, Elastic was not in a position to reproduce the vulnerability and its results.
Moreover, Elastic says that the a number of studies it acquired from AshES Cybersecurity for the alleged zero-day bug “lacked proof of reproducible exploits.”
“Elastic Safety Engineering and our bug bounty triage staff accomplished an intensive evaluation making an attempt to breed these studies and have been unable to take action. Researchers are required to share reproducible proof-of-concepts; nonetheless, they declined” – Elastic
AshES Cybersecurity confirmed that they selected to not ship the PoC to Elastic or the corporate’s associates.
Elastic says that the researcher didn’t share the complete particulars for the vulnerability and as an alternative determined to make their claims public as an alternative of following the rules of coordinated disclosure.
Elastic reaffirmed that they take all security studies significantly and, beginning 2017, paid greater than $600,000 to researchers by means of the corporate’s bug bounty program.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration developments.
