CylancePROTECT 1534: Low-Severity DLL Side-Load Vulnerability Remediated

In our release of agent 1534, BlackBerry® Cylance® remediated a low-severity vulnerability that could have allowed an individual with administrator or system-level privileges to exploit the load order of WinTrust.dll and sideload an arbitrary file that could execute commands or disable the BlackBerry Cylance Service. For a detailed technical breakdown please see our KB article.

When a Windows system is instantiated an order of operations is executed, one of which is the loading of WinTrust.dll. This DLL is required for a system to operate properly and runs as Microsoft Trust Verification API resident in memory. According to Microsoft, the main purpose is “…trust purposes related to files, catalogs, memory, signature or certificates by third parties.”

In a traditional side-loading attack, the attacker places a DLL in a directory and launches an application that loads that file. By default, Microsoft’s search order starts in the current directory, and if found, loads that file. Once elevated credentials are attained it is possible to place an arbitrary DLL file named WinTrust.DLL (which is not the Microsoft file) in the Cylance folder, a potential attacker could exploit the native Windows loader to execute arbitrary commands in the context of the Cylance Service (SYSTEM).

To successfully execute this order of operations, administrator privileges are required to write to the Cylance directory. In this hypothetical case, the attacker would have ‘Write’ access to our Program Files directory. Keep in mind though, that given this level of privilege they could achieve nearly anything on the system in any case. This level of access extends to the entire system, not just merely the Cylance directory. As is well documented, Microsoft does not set a security boundary between Administrator and SYSTEM level access. Without the noted level of privilege, the attack as documented would not be possible.

In order to assist in the basics of preventing this and similar attacks from being successful, please see Microsoft’s guide on implementing least privilege and refer to our Customer Knowledge Base for BlackBerry Cylance best practices.