CVE-2018-10722

Vulnerability

CylancePROTECT versions before 1470 contain a privilege escalation vulnerability. Unprivileged local users have Modify access to the %PROGRAMFILES%\Cylance\Desktop\log folder. The CyUpdate process, which runs with SYSTEM privileges, creates new files in this folder and grants Modify access to users. An attacker can create a symlink chain pointing to an arbitrary DLL that CyUpdate will load, leading to code execution in the SYSTEM context [1].

Exploitation

An attacker with local unprivileged access can exploit this by first creating a symlink in the log folder that points to a target DLL path. When CyUpdate creates a new file in that folder, it follows the symlink chain and writes to the attacker-controlled location. The attacker can then place a malicious DLL at that path, which CyUpdate will load, executing arbitrary code with SYSTEM privileges. No authentication beyond local user access is required [1].

Impact

Successful exploitation allows an unprivileged local user to execute arbitrary code with SYSTEM privileges, resulting in full compromise of the affected system. The attacker gains complete control over the endpoint, including the ability to disable security software, install persistent malware, and access sensitive data [1].

Mitigation

The vulnerability is fixed in CylancePROTECT version 1470 and later. Users should update to the latest version. No workaround is available for earlier versions. The vendor has released a patch; no known exploitation in the wild has been reported at the time of disclosure [1].