High
CVE-2019-9627
CVE-2019-9627
Description
A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.
Add Assessment
Technical Analysis
Overview
A vulnerability was discovered within CyberArk Endpoint Privilege Managers driver (CybKernelTracker.sys). This driver contains a call back functionality that is called every time for an image or a dll to be loaded loaded on the system, this callback allocates non paged pool memory (allocates memory from the kernel pool), and the allocation occurs to copy the image path of the object being loaded, but it does not take into account the buffer size of the path size. By loading an object (image) that is longer than the buffer size, an attacker is able to overwrite part of the kernel non paged pool memory invoking a kernel pool overflow.
This callback routine is not loaded into the system by default, but once installed, successful exploitation of this vulnerability can allow for an unprivileged and non authenticated user to obtain system-level access on the system.
Impact
Including this vulnerable driver on your system can lead to the degradation of your systems security and integrity, the impact risk is very high due to a non privileged user being able to communicate with this driver. Successful exploitation of this vulnerability can allow a user to either escalate their privileges by weaponizing a proof-of-concept, or simply crashing and dosing the system.
Recommended remediation
The recommended remediation and fix for this vulnerability is to update your cyberark software to the latest version, cyberark has responded to this vulnerability and patched it with a newly released version of the updated driver.
CVSS V3 Severity and Metrics
General Information
Vendors
- cyberark
Products
- endpoint privilege manager
References
