VU#818729: Safetica contains a kernel driver vulnerability
A vulnerability exists in Safetica's ProcessMonitorDriver.sys kernel driver, used in its data loss prevention software. This allows unprivileged users to terminate system processes through an exposed IOCTL path. The vulnerability stems from inadequate input sanitization and user validation within the driver's interface. Successfully exploiting this flaw enables a denial-of-service attack, potentially rendering Safetica systems unusable. The attacker could repeatedly terminate processes, disrupting system functionality and security monitoring. At the time of this publication, no official fix from the vendor has been released to address this critical issue. Organizations are advised to actively monitor for suspicious IOCTL calls targeting the driver. Implementing kernel driver monitoring solutions is essential for detecting abuse and unusual patterns. Restricting access to the vulnerable driver through Windows policies is also crucial. This can be achieved through Group Policies or Application Control to prevent unauthorized interactions. The report recommends blocking untrusted or unsigned binaries from communicating with the driver.