Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package

Title

Uninstall Password Bypass

Product

BlackBerry CylanceOPTICS Windows Installer Package

Vulnerable Version

CylanceOPTICS <3.3 MR2, CylanceOPTICS <3.2 MR5

Fixed Version

CylanceOPTICS 3.3 MR2, CylanceOPTICS 3.2 MR5

CVE Number

CVE-2024-35214

Impact

high

Homepage

https://www.blackberry.com/us/en/support/cylance

Found

12.12.2023

By

Initially by Rene Grubmair (Greiner), P. Espernberger, M. Engleitner (Office Leonding) | SEC Consult Vulnerability Lab

The endpoint protection solution BlackBerry CylanceOPTICS could be deactivated and uninstalled completely without requiring a previously set uninstallation password using the silent uninstaller.

Vendor description

"CylanceOPTICS is an endpoint detection and response solution that collects and analyzes forensic data from devices to identify and resolve threats before they impact your organization’s users and data.

Source: https://docs.blackberry.com/en/unified-endpoint-security/blackberry-ues/overview/What-is-BlackBerry-Optics

Business recommendation

The vendor provides a patched version which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Uninstall Password Bypass (CVE-2024-35214)

Due to the quiet (un-)installation feature offered by the CylanceOPTICS application, the uninstaller can be called directly without requiring a previously set uninstall password.

In order to exploit this vulnerability, an attacker must have local admin rights.


Proof of concept

1) Uninstall Password Bypass (CVE-2024-35214)

The path to the MSI uninstaller can be found by searching the Windows Registry for "CylanceOPTICS" which results in the following node containing uninstall information for the 64bit application:

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}

To uninstall CylanceOPTICS without being prompted for a password, the QuietUninstallString command is executed as privileged user on the system.

"C:\ProgramData\Package Cache\{6e96194b-ca7b-40a4-badd-7eac94ea62c7}\CylanceOPTICSSetup.exe" /uninstall /quiet

Afterwards, the CylanceOPTICS application is successfully removed.

Figure 1: CylanceOPTICS Password Requirement
Figure 2: Windows Registry CylanceOPTICS
Figure 3: Apps & features
Figure 4: Uninstallation CylancePROTECT

Vulnerable / tested versions

The following version has been tested by SEC Consult which was the most recent version available at the time of the test:

  • 3.2.2199.0

According to the vendor, all previous versions are affected:

  • CylanceOPTICS <3.3 MR2
  • CylanceOPTICS <3.2 MR5


Vendor contact timeline

2024-02-02 Contacting vendor through secure@blackberry.com, case BIRT2024-00128 was created
2024-02-02 Auto-response, case is being tracked as # BIRT2024-00128
2024-02-07 Vendor requests settings of the CylanceConsole device. Vendor is currently attempting to reproduce the vulnerability.
2024-02-08 The requested settings were provided.
2024-02-09 Vendor confirms the Uninstall Password Bypass vulnerability. Additional information (log files) are requested. Clarification of the impact of the vulnerability is requested.
2024-02-15 Explanation has been sent. Log files could not be provided as the device has already been reset.
2024-02-15 The vulnerability was escalated to the development team.
2024-02-23 Short update was provided outlining the current plan to fix the vulnerability until summer 2024. Vendor commits to bi-weekly updates on their progress.
2024-04-19 Expected release date (June 3rd) was communicated and the CVE number was provided.
2024-05-21 Coordination of the joint release date (2024-06-11) and providing the updated security advisory and new CVE number.
2024-06-07 Vendor released CylanceOPTICS 3.3 MR1 and CylanceOPTICS 3.2 MR4 on 4th June. But requests advisory disclosure to be delayed to 10th September because of identified weakness in current solution.
2024-08-20 Vendor releases new version 3.3 MR2 and 3.2 MR5.
2024-09-25 Coordinated release of security advisory.

SEC Consult was informed about the progress bi-weekly. Only the most relevant information is included in the timeline.


Solution

The vendor provides the following patched versions to their customers:

  • CylanceOPTICS 3.3 MR2
  • CylanceOPTICS 3.2 MR5


In addition to the updated versions, the vendor has released an optional script which customers can run to remove the old version and replace it with the update. New customers, or customers who uninstall / reinstall will not need to run the script, nor will existing customers who have not configured an Uninstall password.

The vendor provides the following security notes with further information:
https://support.blackberry.com/pkb/s/article/140080


Workaround


As a workaround, it is possible to delete the affected CylanceOPTICSSetup.exe binary.

 

Advisory URL

https://sec-consult.com/vulnerability-lab/


EOF M. Engleitner, P. Espernberger / @2024

 

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back