Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN524 _____________________________________________________________________ DATE : 18/08/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Elastic Defend. ===================================================================== https://discuss.elastic.co/t/elastic-response-to-blog-edr-0-day-vulnerability/381093 _____________________________________________________________________ Elastic Response to Blog ‘EDR 0-Day Vulnerability’ Announcements Security Announcements Levine (Brian Levine) August 18, 2025, 2:09am 1 On August 16, 2025, Elastic’s Information Security team became aware of a blog and social media posts suggesting an alleged vulnerability in Elastic Defend. Having conducted a thorough investigation, Elastic’s Security Engineering team has found no evidence supporting the claims of a vulnerability that bypasses EDR monitoring and enables remote code execution. While the researcher claims to be able to trigger a crash/BSOD in the Elastic Endpoint driver from an unprivileged process, the only demonstration they have provided does so from another kernel driver. Elastic will continue to investigate and will provide updates for our customers and community, should we discover any valid security issues. We request that any detailed information that demonstrates the ability to crash the driver from an unprivileged process be shared with us at security@elastic.co. Background Elastic values its partnership with the security community. We lead a mature and proactive bug bounty program, launched in 2017, which has awarded over $600,000 in bounty payments. The security researcher making the claim submitted multiple reports to Elastic claiming Remote Code Execution (RCE) and behavior rules bypass for Elastic EDR. The reports lacked evidence of reproducible exploits. Elastic Security Engineering and our bug bounty triage team completed a thorough analysis trying to reproduce these reports and were unable to do so. Researchers are required to share reproducible proof-of-concepts; however, they declined. By not sharing full details and publicly posting, the conduct of this security researcher is contrary to the principles of coordinated disclosure. The Elastic Secure Software Development Framework (SSDF) ensures Elastic software is developed securely to minimize the security risks to our customers, Elastic Products, and our software supply chain. The framework is aligned with best practices for secure software development, including NIST SSDF, OWASP SAMM, and BSIMM. Our product security testing program requirements include in-house and third-party testing for Software Composition Analysis (SCA), Static Secure Code Analysis (SAST), Dynamic Application Security Testing (DAST), Third-party Pentesting, Red Team Adversarial Attack Simulation, and other tests. Elastic implements procedures to receive, analyze, respond to, and remediate vulnerabilities disclosed to us from all sources. Vulnerability impact assessments are performed to review and validate security findings, determine if Elastic products are affected, rate the severity, and perform remediation in accordance with the impact. For issues that have a significant security impact on Elastic products, an Elastic Security Advisory (ESA) is published to notify our users of the issue and remediations. As a CNA, Elastic assigns both a CVE and an ESA identifier to each advisory. Advisories are announced in the Security Announcements forum and published to Mitre/NVD. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================