CVE-2019-9627

A buffer overflow in the kernel driver CybKernelTracker.sys in CyberArk Endpoint Privilege Manager versions prior to 10.7 allows an attacker (without Administrator privileges) to escalate privileges or crash the machine by loading an image, such as a DLL, with a long path.

Recent assessments:

FULLSHADE at April 22, 2020 2:37pm UTC reported:

Overview

A vulnerability was discovered within CyberArk Endpoint Privilege Managers driver (CybKernelTracker.sys). This driver contains a call back functionality that is called every time for an image or a dll to be loaded loaded on the system, this callback allocates non paged pool memory (allocates memory from the kernel pool), and the allocation occurs to copy the image path of the object being loaded, but it does not take into account the buffer size of the path size. By loading an object (image) that is longer than the buffer size, an attacker is able to overwrite part of the kernel non paged pool memory invoking a kernel pool overflow.

This callback routine is not loaded into the system by default, but once installed, successful exploitation of this vulnerability can allow for an unprivileged and non authenticated user to obtain system-level access on the system.

Impact

Including this vulnerable driver on your system can lead to the degradation of your systems security and integrity, the impact risk is very high due to a non privileged user being able to communicate with this driver. Successful exploitation of this vulnerability can allow a user to either escalate their privileges by weaponizing a proof-of-concept, or simply crashing and dosing the system.

Recommended remediation

The recommended remediation and fix for this vulnerability is to update your cyberark software to the latest version, cyberark has responded to this vulnerability and patched it with a newly released version of the updated driver.

Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 2