Title: Panda Security Addresses Multiple Vulnerabilities in pskmad_64.sys Driver
Introduction:
In a recent incident involving the loading of the pskmad_64.sys (Panda Memory Access Driver) on a protected machine, Panda Security’s driver triggered an investigation by security experts. While the incident turned out to be an APT simulation test, the investigation led to the discovery of three distinct vulnerabilities in the driver. Panda Security promptly addressed these vulnerabilities, which are now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332. This article provides an overview of the findings, impacts, and fixes related to these vulnerabilities.
Findings by CVE:
CVE-2023-6330 (Registry):
The pskmad_64.sys driver fails to validate registry values, allowing an attacker to exploit CSDBuildNumber or CSDVersion by injecting malicious content. This vulnerability can lead to a non-paged memory overflow, potentially enabling denial of service attacks or remote code execution. The WatchGuard advisory for this vulnerability can be found as WGSA-2024-00001.
CVE-2023-6331 (OutOfBoundsRead):
By sending a crafted packet via an IRP request, an attacker can cause a memory-out-of-bounds write in the driver. This vulnerability arises from the absence of bounds checks when moving data to a non-paged memory pool. Similar to the previous CVE, this vulnerability can result in denial of service or remote code execution. The WatchGuard advisory for this vulnerability can be found as WGSA-2024-00002.
CVE-2023-6332 (Arbitrary Read):
Insufficient validation in the kernel driver allows an attacker to read directly from kernel memory by sending a specific IOCTL request. This arbitrary read vulnerability can be exploited to leak sensitive data or used in combination with other vulnerabilities to craft more sophisticated attacks. The WatchGuard advisory for this vulnerability can be found as WGSA-2024-00003.
Affected Products:
The investigated pskmad_64.sys file with the SHA256 value 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file version 1.1.0.21 has been identified as potentially vulnerable. Consequently, Panda Security treated all earlier versions of the file as potentially affected. The affected driver is included in WatchGuard EPDR (EPP, EDR, EPDR), Panda AD360 up to 8.00.22.0023, and various versions of Panda Dome (Essential, Advanced, Complete, and Premium). Panda has released fixed versions for both consumer and enterprise products.
Timeline:
The timeline of this incident and its resolution is as follows:
– 2023-08-28: Detailed writeup and proof of concept sent to the Panda security team.
– 2023-09-21: Panda security team acknowledged the report.
– 2023-10-30: Panda security team shared their plan to fix the vulnerabilities.
– 2023-12-06: Panda informed the researchers about the assigned CVEs.
– 2024-01-18: Fixes for the vulnerabilities were released.
Summary:
Panda Security’s pskmad_64.sys driver was recently found to have three vulnerabilities, CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332. These vulnerabilities, discovered during an investigation triggered by an APT simulation test, have been addressed by Panda Security. The vulnerabilities could have led to denial of service attacks and potentially allowed remote code execution. Affected products include WatchGuard EPDR, Panda AD360, and various versions of Panda Dome. Panda Security promptly released fixed versions for both consumer and enterprise products. The security team’s proactive behavior and collaboration with researchers ensured the swift resolution of these vulnerabilities to protect users from potential exploitation.