Netskope EPDLP Driver Double-Fetch Vulnerability (CVE-2024-11616) Analysis

Key Information Vulnerability Overview CVE ID: CVE-2024-11616 Vulnerability Type: Netskope EPDLP Double-Fetch Affected Scope: Netskope Endpoint Data Loss Prevention (EPDLP) driver on Windows 10 and Windows 11 systems Target Target Components: Filter Manager, Device Control I/O Request Packet (IRP), and Standard Control IRP Vulnerability Location: EPDLP driver implemented in the Filter Manager, specifically the portion related to Device Control IRP Vulnerability Details Issue Description: When processing a Device Control IRP, the EPDLP driver fails to properly validate the buffer length returned by the function, leading to a Double-Fetch vulnerability. Technical Details: - The function retrieves the I/O parameter block, but the returned buffer length is not correctly checked. - Attackers can exploit this by crafting specific input data, causing the driver to access out-of-bounds memory, potentially leading to information disclosure or privilege escalation. Exploitation PoC (Proof of Concept): A simple code example is provided to demonstrate how to trigger the vulnerability. - A global variable is created, whose value is read twice (Double-Fetch). - By carefully crafting input data, the first and second reads return different values, thereby triggering the vulnerability. References Includes multiple related links, such as Netskope’s product page, CVE details, and documentation on Filter Communication Port.

Goal Reached Thanks to every supporter — we hit 100%!

Netskope EPDLP Driver Double-Fetch Vulnerability (CVE-2024-11616) Analysis