In July 2023, our proactive conduct guidelines triggered on an try and load a driver named pskmad_64.sys (Panda Reminiscence Entry Driver) on a protected machine. The motive force is owned by Panda Safety and utilized in a lot of their merchandise.
As a result of rise in reliable driver abuse with the objective of disabling EDR merchandise (a difficulty we examined in our piece on compromised Microsoft signed drivers a number of months in the past), and the context through which that driver was loaded, we began to research and dove deeper into the file.
After re-evaluation and engagement with the shopper, the unique incident was recognized as an APT simulation check. Our investigation, nonetheless, led to the invention of three distinct vulnerabilities we reported to the Panda safety crew. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Data from Panda on the vulnerabilities and fixes for them could be discovered as famous for every CVE under.
Findings by CVE
The registry hive REGISTRYMACHINESOFTWAREMicrosoftHome windows NTCurrentVersion accommodates a number of helpful items of knowledge used to find out the OS model. The CSDVersion represents the Service Pack degree of the operation system. CSDBuildNumber is the variety of the corresponding construct.
The motive force pskmad_64.sys doesn’t correctly validate the content material of those registry values. An attacker can place maliciously crafted content material into CSDBuildNumber or CSDVersion, which ends up in a non-paged reminiscence overflow.
The minimal influence is a denial of service. With extra analysis, an attacker would possibly be capable of obtain RCE by chaining CVE-2023-6330 with different vulnerabilities. The CVSS base rating for this vulnerability is 6.4 and Panda assesses it as being of medium potential influence.
The total advisory for this difficulty is offered on the WatchGuard website as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Reminiscence Corruption Vulnerability.”
By sending a maliciously crafted packet through an IRP request with IOCTL code 0xB3702C08 to the motive force, an attacker can overflow a non-paged reminiscence space, leading to a memory-out-of-bounds write. The vulnerability exists as a consequence of lacking bounds examine when transferring information through memmove to a non-paged reminiscence pool.
The minimal influence is a denial of service. With extra analysis, an attacker would possibly be capable of obtain distant code execution when CVE-2023-6331 is mixed with different vulnerabilities. The CVSS base rating for this vulnerability can also be 6.4, however Panda assesses it as being of excessive potential influence.
The total advisory for this difficulty is offered on the WatchGuard website as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.”
CVE-2023-6332 (Arbitrary Learn)
As a result of inadequate validation within the kernel driver, an attacker can ship an IOCTL request with code 0xB3702C08 to learn straight from kernel reminiscence, leading to an arbitrary learn vulnerability.
The attacker can use this vulnerability to leak delicate information, or chain it with different vulnerabilities to craft a extra subtle and higher-impact exploit. The CVSS base rating for this vulnerability is 4.1, and Panda assesses it as being of medium potential influence.
The total advisory for this difficulty is offered on the WatchGuard website as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Reminiscence Learn Vulnerability.”
The file we investigated has the SHA256 worth 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file model 184.108.40.206. Out of an abundance of warning, whereas Panda undertook its investigation, we handled all earlier variations of the file as probably weak as we awaited the outcomes of Panda’s personal investigation; their investigation confirmed this strategy.
As said in Panda’s advisories, the affected driver is included within the following merchandise:
- WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 as much as 8.00.22.0023
- Panda Dome as much as 22.02.01 (Important, Superior, Full, and Premium variations)
The mounted model of Panda Dome, the buyer product, is 22.02.01. The mounted model of WatchGuard EPDR and AD360, the enterprise product, is 8.0.22.0023.
2023-08-28: Proof of idea and detailed writeup despatched to the Panda safety crew.
2023-09-21: Panda safety crew responded and acknowledged our report.
2023-10-30: Panda safety crew knowledgeable us of their plan to repair the problems.
2023-12-06: Panda informs us of the three CVEs assigned to those points.
2024-01-18: Fixes launched.