Elastic Denies Zero-Day RCE Flaw in Defend EDR
▼ Summary
– Elastic denies a reported zero-day vulnerability in its Defend EDR product, refuting claims from AshES Cybersecurity.
– AshES Cybersecurity claimed to have found a remote code execution flaw that could bypass EDR monitoring and enable persistence.
– Elastic stated it could not reproduce the vulnerability and noted the reports lacked evidence of reproducible exploits.
– AshES Cybersecurity declined to share a proof-of-concept with Elastic, opting for public disclosure instead of coordinated channels.
– Elastic emphasized its commitment to security, citing over $600,000 paid to researchers through its bug bounty program since 2017.
Enterprise search and security firm Elastic has officially refuted claims of a zero-day remote code execution vulnerability affecting its Defend endpoint detection and response platform. The denial comes in response to a public disclosure by AshES Cybersecurity, which asserted it had identified a critical flaw enabling attackers to bypass EDR monitoring and execute code remotely.
AshES Cybersecurity published a detailed blog post on August 16 describing what it characterized as a NULL pointer dereference issue within Elastic Defender’s kernel driver, ‘elastic-endpoint-driver.sys’. According to the report, this weakness could be exploited to evade security monitoring, run malicious code with limited visibility, and maintain persistent access to compromised systems. The researcher involved stated that a custom driver was developed to reliably trigger the flaw under controlled settings, and two demonstration videos were released, one depicting a Windows system crash due to driver failure, and another showing the calculator application being launched without triggering any defensive response from Elastic Defend.
Despite these public assertions, Elastic’s Security Engineering team conducted what it describes as a comprehensive investigation and found no evidence to support the existence of such a vulnerability. The company emphasized that it could not reproduce the reported behavior and noted that the submissions from AshES Cybersecurity did not include sufficient evidence or a reproducible proof-of-concept. Elastic also pointed out that the researchers declined to share their exploit code, deviating from standard coordinated disclosure practices typically expected in responsible vulnerability reporting.
In its response, Elastic reaffirmed its commitment to addressing legitimate security concerns, highlighting that it has operated a bug bounty program since 2017 through which it has disbursed over $600,000 to security researchers. The company maintains that it takes all potential threats seriously but could not validate the claims made by AshES Cybersecurity due to insufficient technical details and reproducible data.
(Source: Bleeping Computer)
