VU#818729: Safetica contains a kernel driver vulnerability

Overview

Kernel driver ProcessMonitorDriver.sys in Safetica’s endpoint client x64, versions 10.5.75.0 and 11.11.4.0, allows for an unprivileged user to abuse an IOCTL path and terminate protected system processes.

Description

Safetica is a Data Loss Prevention (DLP) and Insider Risk Management (IRM) software solution that helps organizations protect their data via detecting, analyzing, and mitigating threats. Safetica’s platform is AI-powered and is used by public and private organizations, globally.

A vulnerabilty has been discovered in Safetica’s ProcessMonitorDriver.sys kernel driver. A local, unprivileged user can abuse a vulnerable IOCTL (Input/Output Control) path in the kernel driver to cause privileged termination of arbitrary system processes. IOCTL interfaces allow user-mode software to send commands into the kernel space so that the driver can perform specific privileged actions such as terminating processes. Terminating Safetica’s processes in endpoint detection and response and antivirus software can blind their clients’ security monitoring on their machines. Improper input sanitization and user validation mechanisms can manipulate the kernel driver into privilege escalation and DOS (denial of service).

Impact

A threat actor can leverage this vulnerability and could use the IOCTL path to terminate processes repeatedly. This could lead to a DOS attack and render Safetica’s systems unavailable.

Solution

At the time of publication, no vendor-supported fix is available for the vulnerability affecting Safetica DLP kernel driver ProcessMonitorDriver.sys, which allows unprivileged users to abuse exposed IOCTL handlers to terminate arbitrary processes. Until an official patch or guidance is provided by the vendor, the following mitigations are recommended:

1. Monitor and Detect Abuse of IOCTL Calls Targeting the Driver: Safetica’s client organizations should actively monitor for suspicious or abnormal IOCTL handler requests. To detect this activity, clients should deploy kernel driver monitoring solutions like Endpoint Detection and Response or System Monitor-like telemetry (where supported). This will 1) identify unprivileged processes, 2) detect unusual IOCTL patterns, and 3) alert security teams when user-mode processes interact with the kernel driver.

2. Restrict or Block Access to the Vulnerable Driver via Policy Controls: To restrict access to ProcessMonitorDriver.sys, Safetica’s client organizations should use Windows Group Policy or Application Control policies (WDAC [https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-policy/group-policy-overview] /AppLocker [https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/applocker/what-is-applocker]). This will prevent untrusted or non-administrative processes from loading or interacting with the driver, through policy-based enforcement mechanisms. These enforcement mechanisms can block untrusted or unsigned binaries from communicating with the kernel driver.

Acknowledgements

Thanks to the reporter, KOSEC LLC. This document was written by Ayushi Kriplani.