AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
New panda menu3/6/2024 ![]() : Panda security team informed us of their plan to fix the issues. : Panda security team responded and acknowledged our report. : Proof of concept and detailed writeup sent to the Panda security team. The fixed version of WatchGuard EPDR and AD360, the enterprise product, is 8. The fixed version of Panda Dome, the consumer product, is 22.02.01. Panda Dome up to 22.02.01 (Essential, Advanced, Complete, and Premium versions).WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 up to 8.Out of an abundance of caution, while Panda undertook its investigation, we treated all earlier versions of the file as potentially vulnerable as we awaited the results of Panda’s own investigation their investigation confirmed this approach.Īs stated in Panda’s advisories, the affected driver is included in the following products: The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Memory Read Vulnerability.” Affected Products The CVSS base score for this vulnerability is 4.1, and Panda assesses it as being of medium potential impact. The attacker can use this vulnerability to leak sensitive data, or chain it with other vulnerabilities to craft a more sophisticated and higher-impact exploit. The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.” CVE-2023-6332 (Arbitrary Read)ĭue to insufficient validation in the kernel driver, an attacker can send an IOCTL request with code 0xB3702C08 to read directly from kernel memory, resulting in an arbitrary read vulnerability. The CVSS base score for this vulnerability is also 6.4, but Panda assesses it as being of high potential impact. With additional research, an attacker might be able to achieve remote code execution when CVE-2023-6331 is combined with other vulnerabilities. The minimum impact is a denial of service. The vulnerability exists due to missing bounds check when moving data via memmove to a non-paged memory pool. The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Memory Corruption Vulnerability.” CVE-2023-6331 (OutOfBoundsRead)īy sending a maliciously crafted packet via an IRP request with IOCTL code 0xB3702C08 to the driver, an attacker can overflow a non-paged memory area, resulting in a memory-out-of-bounds write. The CVSS base score for this vulnerability is 6.4 and Panda assesses it as being of medium potential impact. ![]() With additional research, an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other vulnerabilities. ![]() An attacker can place maliciously crafted content into CSDBuildNumber or CSDVersion, which results in a non-paged memory overflow. The driver pskmad_64.sys does not properly validate the content of these registry values. CSDBuildNumber is the number of the corresponding build. The CSDVersion represents the Service Pack level of the operation system. The registry hive \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion contains multiple useful pieces of information used to determine the OS version. Information from Panda on the vulnerabilities and fixes for them can be found as noted for each CVE below. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Our investigation, however, led to the discovery of three distinct vulnerabilities we reported to the Panda security team. The driver is owned by Panda Security and used in many of their products.ĭue to the rise in legitimate driver abuse with the goal of disabling EDR products (an issue we examined in our piece on compromised Microsoft signed drivers several months ago), and the context in which that driver was loaded, we started to investigate and dove deeper into the file.Īfter re-evaluation and engagement with the customer, the original incident was identified as an APT simulation test. In July 2023, our proactive behavior rules triggered on an attempt to load a driver named pskmad_64.sys (Panda Memory Access Driver) on a protected machine.
0 Comments
Read More
Leave a Reply. |