Executive Summary
Four vulnerabilities were discovered by a third-party security research team affecting CoSoSys Endpoint Protector and CoSoSys Unify. By exploiting these vulnerabilities, an attacker may be able to gain remote code execution on the Endpoint Protector and Unify server or agent, or to bypass data-loss prevention policy enforcement.
Updates
2024-09-03T19:15:00Z
The security researcher who discovered and disclosed these vulnerabilities to Netwrix has published a public disclosure containing technical details of the vulnerabilities. Public disclosures such as this are typical when vulnerabilities are discovered by a security researcher. Following public disclosure, there is a significant increase in the risk of exploitation by an adversary. Endpoint Protector users, particularly those whose deployment is internet facing, are advised to apply the relevant hotfix immediately.
2024-07-16T17:15:00Z
CoSoSys has released an offline hotfix [download] which replaces the agents embedded in the virtual appliance with updated ones for use with the Client Software Upgrade feature.
2024-07-05T14:00:00Z
A revised hotfix for CoSoSys Endpoint Protector Hotfix versions 5.6.0.0 through 5.9.3.0, labeled Hotfix 1.1, has been released. This hotfix addresses supersedes the prior hotfix and resolves the event processing issue.
CoSoSys has applied Hotfix 1.1 to all hosted systems. If you operate an on-premises deployment and applied the original hotfix, you will need to apply the relevant Hotfix 1.1 to your system.
2024-07-02T14:35:00Z
Netwrix has received reports that following the deployment of CoSoSys Endpoint Protector Hotfix #1 the system may cease to process certain events. Netwrix has confirmed this behavior and is working on a revision to Hotfix #1 to resolve this issue. As a precaution, Netwrix has temporarily paused distribution of the hotfix until a replacement is available.
Customers who have deployed Hotfix #1 and are experiencing an issue with processing events should contact the Netwrix support team.
Acknowledgements
We thank Sangjun Song and Junwoo Byun from Theori for their coordinated disclosure of the vulnerabilities and their effort and partnership in improving the security of our products.
Vulnerability
| Title | Affected Component | Affected Versions | CVSS 4.0 Score | CVSS 3.1 Score (Base / Temporal) | Description |
|---|---|---|---|---|---|
| Insufficient input validation in file upload (CVE-2024-36072) | CoSoSys Endpoint Protector CoSoSys Unify |
<= 5.9.3.0 <= 7.0.6 |
10.0 | 10.0 / 9.0 | A remote code execution vulnerability exists in the logging component of the Endpoint Protector and Unify server application which allows an unauthenticated remote attacker to send a malicious request, resulting in the ability to execute system commands with root privileges. |
| Insufficient input validation in shadow function (CVE-2024-36073) | CoSoSys Endpoint Protector CoSoSys Unify |
<= 5.9.3.0 <= 7.0.6 |
8.5 | 9.1 / 8.2 | A remote code execution vulnerability exists in the shadowing component of the Endpoint Protector and Unify agent which allows an attacker with administrative access to the Endpoint Protector or Unify server to overwrite sensitive configuration and subsequently execute system commands with SYSTEM/root privileges on a chosen client endpoint. |
| Insufficient validation of third-party resource acquisition (CVE-2024-36074) | CoSoSys Endpoint Protector CoSoSys Unify |
<= 5.9.3.0 <= 7.0.6 |
7.3 | 7.2 / 6.5 | A remote code execution vulnerability exists in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution. |
| Insufficient input validation in application configuration (CVE-2024-36075) | CoSoSys Endpoint Protector CoSoSys Unify |
<= 5.9.3.0 <= 7.0.6 |
7.2 | 8.0 / 7.2 | The CoSoSys Endpoint Protector and Unify agent is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgments about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Insufficient input validation in file upload (CVE-2024-36072) | Yes | Yes | No |
| Insufficient input validation in shadow function (CVE-2024-36073) | Yes | Yes | No |
| Insufficient validation of third-party resource acquisition (CVE-2024-36074) | Yes | Yes | No |
| Insufficient input validation in application configuration (CVE-2024-36075) | Yes | Yes | No |
Solution
| I’m running Endpoint Protector >= 5.9.0.0 | I’m running Endpoint Protector <5.9.0.0 but >= 5.6.0.0 | I’m running Endpoint Protector <5.6.0.0 | I am a hosted Endpoint Protector or Unify customer |
|---|---|---|---|
| Step #1: Apply Endpoint Protector 5.9.x.0 Hotfix #1. The hotfix is available in Live Update or as an offline update. Step #2: Download and deploy the relevant Endpoint Protector Client on all endpoints. |
Step #1: Download and apply the offline update to your Endpoint Protector server. Step #2: Download and deploy the relevant Endpoint Protector Client on all endpoints. It is strongly recommended that you update to CoSoSys Endpoint Protector 5.9.3.0. |
Step 1: Update to CoSoSys Endpoint Protect 5.6.0.0 and follow the steps for that version. It is strongly recommended that you update to CoSoSys Endpoint Protector 5.9.3.0. |
Beginning 2024-06-28T07:00:00Z, CoSoSys will apply the update to each hosted instance. You will need to download and deploy the relevant Endpoint Protector Client on all endpoints. If you are running an earlier version, it is strongly recommended that you update to also CoSoSys Endpoint Protector 5.9.3.0. |
Important: The Endpoint Protector server and the Endpoint Protector Client on all endpoints must both be updated to fully resolve the vulnerabilities.
Instructions for applying an offline patch are available in the product documentation.
Please contact the Netwrix technical support team should you need assistance.
Official Fixes
Updated software has been released containing official fixes for all listed vulnerabilities as indicated in the table below. Please ensure you apply the correct hotfix to the version of CoSoSys Endpoint Protector you are using.
| Product | Current Version | Hotfix Version |
|---|---|---|
| CoSoSys Endpoint Protector | 5.9.3.0 | 5.9.3.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.9.2.0 | 5.9.2.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.9.1.0 | 5.9.1.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.9.0.0 | 5.9.0.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.8.1.0 | 5.8.1.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.8.0.0 | 5.8.0.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.7.1.0 | 5.7.1.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.7.0.0 | 5.7.0.0 Hotfix #1.1 |
| CoSoSys Endpoint Protector | 5.6.0.0 | 5.6.0.0 Hotfix #1.1 |
Downloading the Hotfix
| Product | Applicable Versions | Downloads |
|---|---|---|
| CoSoSys Endpoint Protector | >=5.9.0.0 | Patch available in Live Update |
| CoSoSys Endpoint Protector | 5.6.0.0 through 5.9.3.0 | Download offline patch |
| CoSoSys Endpoint Protector Agent | CoSoSys Endpoint Protector 5.6.0.0 until 5.9.3.0 CoSoSys Unify >=7.0.6 |
Windows MacOS Ubuntu 22.04 Ubuntu 20.04 Ubuntu 18.04 RHEL 9.4 RHEL 8.10 |
| CoSoSys Endpoint Protector Agent (Offline Patch for Client Software Upgrade Feature) | CoSoSys Endpoint Protector 5.9.2.0 and 5.9.3.0 | Download offline patch |
FAQ
-
How do I determine the version of CoSoSys Endpoint Protector and whether the patch is applied?
Please refer to this knowledge base article.
-
It will take my company some time to update all of our agents. How urgent is this part of the update?
While the server hotfix is the most critical to apply immediately, we advise customers to act with urgency in updating their agents, while following an expedited testing and emergency change control process. CVE-2024-36073, CVE-2024-36074, and CVE-2024-36075 affect the agents, and may permit an attacker to escalate privileges on an affected endpoint or bypass DLP policies. While the scope of impact is limited to each endpoint, an attacker may be able to utilize them as part of a chain to cause greater damage.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 9 | 2024-09-03T19:15:00Z | Update regarding public disclosure |
| 8 | 2024-07-16T17:15:00Z | Add release of offline patch |
| 7 | 2024-07-08T14:00:00Z | Update description of CVE-2024-36075 |
| 6 | 2024-07-05T14:00:00Z | Added update regarding Hotfix 1.1 |
| 5 | 2024-07-02T14:35:00Z | Added update to executive summary |
| 4 | 2024-06-28T15:00:00Z | Added FAQ regarding agent update |
| 3 | 2024-06-28T14:00:00Z | Added versions to Live Update |
| 2 | 2024-06-27T15:00:00Z | Updated Solution section for clarity |
| 1 | 2024-06-27T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.