Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow


Vendor: CyberArk
Vendor URL:
Versions affected: CyberArk Endpoint Privilege Manager prior to version 10.7
Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Author: Jason Crowder
Advisory URL / CVE Identifier: CVE-2019-9627
Risk: Medium


CyberArk Endpoint Privilege Manager’s (EPM) endpoint client provides granular control of application privileges on endpoints. It installs several drivers in order to do this.

CybKernelTracker.sys, one of the drivers that is installed, is vulnerable to non-paged pool buffer overflow which can be used to crash the local machine or escalate privileges on CyberArk EPM versions prior to 10.7.


The vulnerability is present in CyberArk Endpoint Privilege Manager’s driver CybKernelTracker.sys in its registered image load notify routine.


An attacker can use CybKernelTracker.sys to overwrite kernel non-paged memory. This may allow an attacker to crash the machine, escalate privileges, or execute arbitrary kernelmode code.


CybKernelTracker.sys contains a code path that installs an image load notify callback. This callback is called every time an image, such as a dll, is loaded on the system. The callback allocates non-paged pool memory to copy the image path of the image that is being loaded, but it does not take into account the length of the path of the image prior to the memory copy. By loading an image with a path longer than the buffer size of the allocation, an attacker is able to overwrite non-paged pool memory.

CybKernelTracker.sys’s vulnerable image load notify callback is not installed by default when the driver is initialized. The tester was able to get it installed by interacting with the driver’s filter communication port, CKTPort. This filter communication port’s security descriptor prevents access to non-Administrator users. Once the vulnerable callback routine is installed, however, it allows non-Administrator users to trigger the buffer overflow, possibly escalating privileges.

Vendor Communication

NCC Group initiated contact with CyberArk on November 8 2018. CyberArk responded the same day, indicating they would investigate the issue shortly, and they confirmed the issue on November 13, 2018. They fixed the issue on December 7, 2018 and shared a pre-release version of the updated driver with NCC Group to verify. CyberArk released EPM version 10.7 on January 22, 2019, which contains the fix.

About NCC Group

NCC Group is a global expert in cyber security and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionising the way in which organisations think about cyber security.


Call us before you need us.

Our experts will help you.

Get in touch