exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BlackBerry CylanceOPTICS Uninstall Password Bypass

BlackBerry CylanceOPTICS Uninstall Password Bypass
Posted Sep 30, 2024
Authored by P. Espernberger, M. Engleitner, Rene Grubmair | Site sec-consult.com

BlackBerry CylanceOPTICS versions prior to 3.3 MR2 and 3.2 MR5 suffer from an uninstall password bypass vulnerability.

tags | exploit, bypass
advisories | CVE-2024-35214
SHA-256 | 0a06d0ec45010ea8b159f9d5f9a891450ce9117faadcb6b526ef6e7aa21a7451

BlackBerry CylanceOPTICS Uninstall Password Bypass

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20240925-0 >
=======================================================================
title: Uninstall Password Bypass
product: BlackBerry CylanceOPTICS Windows Installer Package
vulnerable version: CylanceOPTICS <3.3 MR2
CylanceOPTICS <3.2 MR5
fixed version: CylanceOPTICS 3.3 MR2
CylanceOPTICS 3.2 MR5
CVE number: CVE-2024-35214
impact: high
homepage: https://www.blackberry.com/us/en/support/cylance
found: 2023-12-12
by: Initially by Rene Grubmair (Greiner)
P. Espernberger (Office Leonding)
M. Engleitner (Office Leonding)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult, an Eviden business
Europe | Asia

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"CylanceOPTICS is an endpoint detection and response solution that collects
and analyzes forensic data from devices to identify and resolve threats
before they impact your organization’s users and data."

Source: https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/overview/What-is-BlackBerry-Optics


Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.


Vulnerability overview/description:
-----------------------------------
1) Uninstall Password Bypass (CVE-2024-35214)
Due to the quiet (un-)installation feature offered by the CylanceOPTICS
application, the uninstaller can be called directly without requiring
a previously set uninstall password.

In order to exploit this vulnerability, an attacker must have local admin
rights.


Proof of concept:
-----------------
1) Uninstall Password Bypass (CVE-2024-35214)
The path to the MSI uninstaller can be found by searching the
Windows Registry for "CylanceOPTICS" which results in the following
node containing uninstall information for the 64bit application:

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}

To uninstall CylanceOPTICS without being prompted for a password,
the QuietUninstallString command is executed as privileged user on
the system.

"C:\ProgramData\Package Cache\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}\CylanceOPTICSSetup.exe" /uninstall /quiet

Afterwards, the CylanceOPTICS application is successfully removed.


Vulnerable / tested versions:
-----------------------------
The following version has been tested by SEC Consult which was the most
recent version available at the time of the test:
* 3.2.2199.0

According to the vendor, all previous versions are affected:
* CylanceOPTICS <3.3 MR2
* CylanceOPTICS <3.2 MR5


Vendor contact timeline:
------------------------
2024-02-02: Contacting vendor through secure@blackberry.com, case
BIRT2024-00128 was created
2024-02-02: Auto-response, case is being tracked as # BIRT2024-00128
2024-02-07: Vendor requests settings of the CylanceConsole device.
Vendor is currently attempting to reproduce the vulnerability.
2024-02-08: The requested settings were provided.
2024-02-09: Vendor confirms the Uninstall Password Bypass vulnerability.
Additional information (log files) are requested.
Clarification of the impact of the vulnerability is requested.
2024-02-15: Explanation has been sent. Log files could not be provided
as the device has already been reset.
2024-02-15: The vulnerability was escalated to the development team.
2024-02-23: Short update was provided outlining the current plan to
fix the vulnerability until summer 2024.
Vendor commits to bi-weekly updates on their progress.
2024-04-19: Expected release date (June 3rd) was communicated and
the CVE number was provided.
2024-05-21: Coordination of the joint release date (2024-06-11) and
providing the updated security advisory and new CVE number.
2024-06-07: Vendor released CylanceOPTICS 3.3 MR1 and CylanceOPTICS 3.2 MR4
on 4th June. But requests advisory disclosure to be delayed to
10th September because of identified weakness in current solution.
2024-08-20: Vendor releases new version 3.3 MR2 and 3.2 MR5.
2024-09-25: Coordinated release of security advisory.


SEC Consult was informed about the progress bi-weekly.
Only the most relevant information is included in the timeline.


Solution:
---------
The vendor provides the following patched versions to their customers:
* CylanceOPTICS 3.3 MR2
* CylanceOPTICS 3.2 MR5


In addition to the updated versions, the vendor has released an
optional script which customers can run to remove the old version and replace
it with the update. New customers, or customers who uninstall /
reinstall will not need to run the script, nor will existing customers
who have not configured an Uninstall password.

The vendor provides the following security notes with further information:
https://support.blackberry.com/pkb/s/article/140080


Workaround:
-----------
As a workaround, it is possible to delete the affected CylanceOPTICSSetup.exe
binary.


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF M. Engleitner, P. Espernberger / @2024
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close