A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2.5.1.0 kernel driver to modify the DLL injection path used by the product. By redirecting this path to a user-writable location, an attacker can cause OpenEDR to load an attacker-controlled DLL into high-privilege processes. This results in arbitrary code execution with SYSTEM privileges, leading to full compromise of the affected system.
Attack Parameters
Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 1
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Xcitium Openedr
cpe:2.3:a:xcitium:openedr:2.5.1.0:*:*:*:*:*:*:*
|
— | — |
References 5
https://gist.github.com/ikerl/c3ec81f12ded44c2e0ae2dfdacb562ba
cve@mitre.org
https://github.com/ComodoSecurity/openedr
cve@mitre.org
https://github.com/ComodoSecurity/openedr/issues/49
cve@mitre.org
https://scavengersecurity.com/posts/edr-as-rootkit-2/
cve@mitre.org
https://www.openedr.com/
cve@mitre.org