In July 2023, our proactive conduct guidelines triggered on an try and load a driver named pskmad_64.sys (Panda Reminiscence Entry Driver) on a protected machine. The motive force is owned by Panda Safety and utilized in a lot of their merchandise.
Because of the rise in professional driver abuse with the objective of disabling EDR merchandise (a difficulty we examined in our piece on compromised Microsoft signed drivers a number of months in the past), and the context by which that driver was loaded, we began to research and dove deeper into the file.
After re-evaluation and engagement with the client, the unique incident was recognized as an APT simulation check. Our investigation, nevertheless, led to the invention of three distinct vulnerabilities we reported to the Panda safety staff. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Data from Panda on the vulnerabilities and fixes for them might be discovered as famous for every CVE beneath.
Findings by CVE
CVE-2023-6330 (Registry)
Description
The registry hive REGISTRYMACHINESOFTWAREMicrosoftHome windows NTCurrentVersion accommodates a number of helpful items of data used to find out the OS model. The CSDVersion represents the Service Pack degree of the operation system. CSDBuildNumber is the variety of the corresponding construct.
The motive force pskmad_64.sys doesn’t correctly validate the content material of those registry values. An attacker can place maliciously crafted content material into CSDBuildNumber or CSDVersion, which leads to a non-paged reminiscence overflow.
Influence
The minimal influence is a denial of service. With extra analysis, an attacker would possibly have the ability to obtain RCE by chaining CVE-2023-6330 with different vulnerabilities. The CVSS base rating for this vulnerability is 6.4 and Panda assesses it as being of medium potential influence.
The complete advisory for this problem is on the market on the WatchGuard website as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Reminiscence Corruption Vulnerability.”
CVE-2023-6331 (OutOfBoundsRead)
Description
By sending a maliciously crafted packet through an IRP request with IOCTL code 0xB3702C08 to the driving force, an attacker can overflow a non-paged reminiscence space, leading to a memory-out-of-bounds write. The vulnerability exists resulting from lacking bounds test when shifting information through memmove to a non-paged reminiscence pool.
Influence
The minimal influence is a denial of service. With extra analysis, an attacker would possibly have the ability to obtain distant code execution when CVE-2023-6331 is mixed with different vulnerabilities. The CVSS base rating for this vulnerability can also be 6.4, however Panda assesses it as being of excessive potential influence.
The complete advisory for this problem is on the market on the WatchGuard website as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.”
CVE-2023-6332 (Arbitrary Learn)
Description
As a consequence of inadequate validation within the kernel driver, an attacker can ship an IOCTL request with code 0xB3702C08 to learn immediately from kernel reminiscence, leading to an arbitrary learn vulnerability.
Influence
The attacker can use this vulnerability to leak delicate information, or chain it with different vulnerabilities to craft a extra refined and higher-impact exploit. The CVSS base rating for this vulnerability is 4.1, and Panda assesses it as being of medium potential influence.
The complete advisory for this problem is on the market on the WatchGuard website as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Reminiscence Learn Vulnerability.”
Affected Merchandise
The file we investigated has the SHA256 worth 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file model 1.1.0.21. Out of an abundance of warning, whereas Panda undertook its investigation, we handled all earlier variations of the file as probably susceptible as we awaited the outcomes of Panda’s personal investigation; their investigation confirmed this method.
As acknowledged in Panda’s advisories, the affected driver is included within the following merchandise:
- WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 as much as 8.00.22.0023
- Panda Dome as much as 22.02.01 (Important, Superior, Full, and Premium variations)
The fastened model of Panda Dome, the buyer product, is 22.02.01. The fastened model of WatchGuard EPDR and AD360, the enterprise product, is 8.0.22.0023.
Timeline
2023-08-28: Proof of idea and detailed writeup despatched to the Panda safety staff.
2023-09-21: Panda safety staff responded and acknowledged our report.
2023-10-30: Panda safety staff knowledgeable us of their plan to repair the problems.
2023-12-06: Panda informs us of the three CVEs assigned to those points.
2024-01-18: Fixes launched.
