CVE-2023-29485: 
Homebrew vulnerability analysis and mitigation

An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, which allows attackers to bypass network filtering, execute arbitrary code, and obtain sensitive information via DarkLayer Guard threat prevention module. The vulnerability (CVE-2023-29485) was disclosed in December 2023. Heimdal disputes the validity of this issue, arguing that their DNS Security for Endpoint filters DNS traffic on the endpoint by intercepting system-generated DNS requests, and the product was not designed to intercept DNS requests from third-party solutions (NVD).

The vulnerability allows attackers to bypass network filtering rules (DarkLayer Guard Network traffic policies) through multiple methods. The component does not intercept traffic correctly and fails open. Specifically, website restrictions can be bypassed using: 1) TOR browser or built-in TOR component in Brave browser, 2) Any browser with a VPN plugin, 3) Any online proxy website. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Medium Blog).

The vulnerability can result in violation of specified restrictions and impact the integrity and confidentiality of the endpoint and its data. It can allow data exfiltration or download of prohibited content or malicious payloads. The bypass methods enable users to circumvent network filtering policies and access restricted websites (Medium Blog).

The vendor has acknowledged the issue and is working on a fix for blocking TOR traffic. However, it is unclear if users will receive adequate protection against online proxies, proxy service websites, or VPN plugins as the vendor does not plan to monitor these vectors. Organizations should ensure that endpoint policies are properly configured to enable Dark Layer Guard, implement blacklists, and harden related settings (Medium Blog).