[ad_1]
In July 2023, our proactive habits guidelines triggered on an try to load a driver named pskmad_64.sys (Panda Reminiscence Entry Driver) on a protected machine. The motive force is owned by Panda Safety and utilized in lots of their merchandise.
As a result of rise in professional driver abuse with the objective of disabling EDR merchandise (a difficulty we examined in our piece on compromised Microsoft signed drivers a number of months in the past), and the context through which that driver was loaded, we began to analyze and dove deeper into the file.
After re-evaluation and engagement with the shopper, the unique incident was recognized as an APT simulation check. Our investigation, nevertheless, led to the invention of three distinct vulnerabilities we reported to the Panda safety staff. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Info from Panda on the vulnerabilities and fixes for them will be discovered as famous for every CVE under.
Findings by CVE
CVE-2023-6330 (Registry)
Description
The registry hive REGISTRYMACHINESOFTWAREMicrosoftWindows NTCurrentVersion comprises a number of helpful items of knowledge used to find out the OS model. The CSDVersion represents the Service Pack stage of the operation system. CSDBuildNumber is the variety of the corresponding construct.
The motive force pskmad_64.sys doesn’t correctly validate the content material of those registry values. An attacker can place maliciously crafted content material into CSDBuildNumber or CSDVersion, which ends up in a non-paged reminiscence overflow.
Impression
The minimal influence is a denial of service. With further analysis, an attacker may be capable to obtain RCE by chaining CVE-2023-6330 with different vulnerabilities. The CVSS base rating for this vulnerability is 6.4 and Panda assesses it as being of medium potential influence.
The complete advisory for this difficulty is accessible on the WatchGuard web site as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Reminiscence Corruption Vulnerability.”
CVE-2023-6331 (OutOfBoundsRead)
Description
By sending a maliciously crafted packet through an IRP request with IOCTL code 0xB3702C08 to the driving force, an attacker can overflow a non-paged reminiscence space, leading to a memory-out-of-bounds write. The vulnerability exists attributable to lacking bounds verify when shifting knowledge through memmove to a non-paged reminiscence pool.
Impression
The minimal influence is a denial of service. With further analysis, an attacker may be capable to obtain distant code execution when CVE-2023-6331 is mixed with different vulnerabilities. The CVSS base rating for this vulnerability can also be 6.4, however Panda assesses it as being of excessive potential influence.
The complete advisory for this difficulty is accessible on the WatchGuard web site as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.”
CVE-2023-6332 (Arbitrary Learn)
Description
As a consequence of inadequate validation within the kernel driver, an attacker can ship an IOCTL request with code 0xB3702C08 to learn straight from kernel reminiscence, leading to an arbitrary learn vulnerability.
Impression
The attacker can use this vulnerability to leak delicate knowledge, or chain it with different vulnerabilities to craft a extra subtle and higher-impact exploit. The CVSS base rating for this vulnerability is 4.1, and Panda assesses it as being of medium potential influence.
The complete advisory for this difficulty is accessible on the WatchGuard web site as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Reminiscence Learn Vulnerability.”
Affected Merchandise
The file we investigated has the SHA256 worth 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file model 1.1.0.21. Out of an abundance of warning, whereas Panda undertook its investigation, we handled all earlier variations of the file as doubtlessly weak as we awaited the outcomes of Panda’s personal investigation; their investigation confirmed this strategy.
As said in Panda’s advisories, the affected driver is included within the following merchandise:
WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 as much as 8.00.22.0023
Panda Dome as much as 22.02.01 (Important, Superior, Full, and Premium variations)
The fastened model of Panda Dome, the patron product, is 22.02.01. The fastened model of WatchGuard EPDR and AD360, the enterprise product, is 8.0.22.0023.
Timeline
2023-08-28: Proof of idea and detailed writeup despatched to the Panda safety staff.
2023-09-21: Panda safety staff responded and acknowledged our report.
2023-10-30: Panda safety staff knowledgeable us of their plan to repair the problems.
2023-12-06: Panda informs us of the three CVEs assigned to those points.
2024-01-18: Fixes launched.
[ad_2]