Elastic Denies Allegations of a Zero-Day Remote Code Execution Vulnerability in Defend EDR

Elastic, the enterprise search and security company, has rejected claims of a zero-day vulnerability affecting its Defend endpoint detection and response (EDR) product. This response follows a blog post by AshES Cybersecurity, which alleged the discovery of a remote code execution (RCE) flaw in Elastic Defend that could allow attackers to bypass EDR protections. Elastic’s Security Engineering team conducted a thorough investigation but found no evidence supporting the claims of a vulnerability that could bypass EDR monitoring and enable remote code execution. According to AshES Cybersecurity’s write-up, a NULL pointer dereference flaw in Elastic Defender’s kernel driver, ‘elastic-endpoint-driver.sys’, could be exploited to compromise system security. The researcher from AshES Cybersecurity claimed to have demonstrated the flaw through controlled conditions, publishing videos to support their findings.

In response, Elastic stated that it was unable to reproduce the alleged vulnerability and its effects. The company noted that the multiple reports received from AshES Cybersecurity lacked evidence of reproducible exploits. Elastic emphasised that its Security Engineering and bug bounty triage teams thoroughly analysed the claims but could not replicate the reported issues. Furthermore, AshES Cybersecurity chose not to share the proof-of-concept with Elastic, opting instead to make their claims public without adhering to the principles of coordinated disclosure. Elastic reaffirmed its commitment to security, highlighting that it has paid over $600,000 to researchers through its bug bounty program since 2017. 

Categories: Vulnerability Claims, Security Response, Bug Bounty Program 

Tags: Elastic, Zero-Day, Vulnerability, EDR, Remote Code Execution, AshES Cybersecurity, Investigation, Exploit, Disclosure, Bug Bounty