Cylance recently addressed two vulnerabilities within the CylancePROTECT® product line. One vulnerability could have resulted in a local privilege escalation, while the other was a basic best-practices fix.
Details
Local Privilege Escalation: The first issue is a local privilege escalation vulnerability that was fixed in version 1470. An attacker would exploit this vulnerability by creating a link in the log directory pointing to a file the attacker would like to overwrite. Next, the attacker would trigger an update event causing the agent to change permissions on the file as SYSTEM to full access for everyone.
Finally, the attacker would overwrite the target file with arbitrary data. One such target would be an executable that is routinely executed with SYSTEM level privileges such as a service. The impact of this vulnerability is that an attacker could escalate privileges to SYSTEM. There have been no known instances of this vulnerability being exploited in the wild. Cylance would like to thank Ryan Hanson from Atredis Partners for participating in coordinated disclosure.
SSL Validation Issue: The second issue is a best practices vulnerability fixed in 1480. An attacker could exploit this vulnerability by first launching a man-in-the-middle attack. Once executed, the attacker would send data as the Cylance server to the endpoint. The Cylance endpoint would accept the data and begin downloading a file due to an issue with certificate parsing.
Once downloaded, the Cylance agent would perform a more robust signature check on the download. This more robust signature checking would then fail, causing CylancePROTECT to delete the downloaded file. There is no known security impact from this vulnerability. There have been no known instances of this vulnerability being exploited in the wild. Cylance would like to thank Tenable for coordinated disclosure of this vulnerability. This issue has been resolved in CylancePROTECT version 1480.
Committed to Responsible Disclosure
Cylance is fully committed to coordinated responsible disclosure. We are not aware of anyone attempting to exploit these bugs in the wild and have worked with two separate researchers to coordinate responsible disclosure in a manner that has the least possible impact to our customers. If you are a Cylance customer, you can get more information here.
We treat the security of our products with the utmost seriousness. We understand the risks of adding any new software to your environment, and as such strive to offer the highest integrity products possible. To address security here at Cylance, we focus on a fully developed SDLC run by professionals who have built similar programs at some of the most advanced companies in the world.
Quality Assurance
To proactively mitigate vulnerabilities before they occur, Cylance incorporates the following measures:
- Proper design for security
- Threat modelling exercises
- Internal code audits performed by our Product Security Team
- External code audits performed by a variety of world class security partners
- Developer training
- Automated security testing in QA
- Peer code review
We understand that even with the best intentions and execution, vulnerabilities can manifest. For every complex code base, there will be issues that the quality assurance process might miss, and some of these issues may have an impact to security. Even with exhaustive, state of the art, proactive measures, some vulnerabilities may make it into production code on occasion.
Because of this risk, we have a dedicated team to respond to any issues that arise in the field. We constantly monitor for any public or private disclosures and proactively work with researchers to immediately remediate issues, and we also amend our processes in order to identify and prevent any similar types of bugs across our entire product line.
Cylance Bug Bounty Program
We are huge supporters of the work that security researchers do in finding and closing security issues in products (many of us started our careers as security researchers), and try to make this process as easy as possible for a researcher to work with us to protect our customers.
To facilitate this, we have a bug bounty program in conjunction with BugCrowd and actively work with external researchers to find, fix, and address vulnerabilities while rewarding the researchers for their time.
Please feel free to reach out to us with any questions or concerns, and we look forward to continuing to work to protect your organization.
