Thomas Brice

Name of the Vulnerable Software and Affected Versions: Netskope NS Client (affected versions not specified) Description: Netskope has been notified of a potential issue in its agent (NS Client) where a malicious actor could trigger a memory leak by sending a crafted DNS packet to a machine. Successful exploitation may require administrative privileges on the machine, depending on the exact configuration. A successful exploit could result in user-controllable memory being leaked in a domain name stored on the local machine. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Netskope NS Client on Windows systems (affected versions not specified) Description: Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. Successful exploitation of this issue by an unprivileged user can trigger a heap overflow in the `epdlpdrv.sys` driver, potentially leading to a Blue-Screen-of-Death (BSOD). Exploitation can also potentially be performed by an unprivileged user whose NS Client is configured to use Endpoint DLP, resulting in a denial-of-service for the local machine. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Netskope Endpoint DLP versions prior to R119 **Description** A security issue arises from a double-fetch problem in the Content Control Driver of Netskope Endpoint DLP, leading to a heap overflow. This occurs because the `NumberOfBytes` argument to `ExAllocatePoolWithTag` and the `Length` argument for `RtlCopyMemory` both independently dereference their value from the user-supplied input buffer inside the `EpdlpSetUsbAction` function. If the length value increases between these two calls, it results in the `RtlCopyMemory` call copying user-supplied memory contents outside the allocated buffer, causing a heap overflow. An attacker needs admin privileges to exploit this issue. **Recommendations** For versions prior to R119, update to version R119 or later to resolve the issue. As a temporary workaround, consider restricting access to the `EpdlpSetUsbAction` function until a patch is available. Additionally, ensure that only trusted users have admin privileges to minimize the risk of exploitation.