![](\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/01\/shutterstock_2044463684.jpg\"\/)
<\/p>\nIn July 2023, our proactive behavior rules triggered on an attempt to load a driver named pskmad_64.sys (Panda Memory Access Driver) on a protected machine. The driver is owned by Panda Security and used in many of their products.<\/p>\n
Due to the rise in legitimate driver abuse with the goal of disabling EDR products (an issue we examined in our piece on compromised Microsoft signed drivers<\/a> several months ago), and the context in which that driver was loaded, we started to investigate and dove deeper into the file.<\/p>\n After re-evaluation and engagement with the customer, the original incident was identified as an APT simulation test. Our investigation, however, led to the discovery of three distinct vulnerabilities we reported to the Panda security team. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Information from Panda on the vulnerabilities and fixes for them can be found as noted for each CVE below.<\/p>\n Description<\/strong><\/p>\n The registry hive \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion contains multiple useful pieces of information used to determine the OS version. The CSDVersion represents the Service Pack level of the operation system. CSDBuildNumber is the number of the corresponding build.<\/p>\n The driver pskmad_64.sys does not properly validate the content of these registry values. An attacker can place maliciously crafted content into CSDBuildNumber or CSDVersion, which results in a non-paged memory overflow.<\/p>\n Impact<\/strong><\/p>\n The minimum impact is a denial of service. With additional research, an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other vulnerabilities. The CVSS base score for this vulnerability is 6.4 and Panda assesses it as being of medium potential impact.<\/p>\n The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00001<\/a>, \u201cWatchGuard Endpoint pskmad_64.sys Pool Memory Corruption Vulnerability.\u201d<\/p>\n Description<\/strong><\/p>\n By sending a maliciously crafted packet via an IRP request with IOCTL code 0xB3702C08 to the driver, an attacker can overflow a non-paged memory area, resulting in a memory-out-of-bounds write. The vulnerability exists due to missing bounds check when moving data via memmove to a non-paged memory pool.<\/p>\n Impact<\/strong><\/p>\n The minimum impact is a denial of service. With additional research, an attacker might be able to achieve remote code execution when CVE-2023-6331 is combined with other vulnerabilities. The CVSS base score for this vulnerability is also 6.4, but Panda assesses it as being of high potential impact.<\/p>\n The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00002<\/a>, \u201cWatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.\u201d<\/p>\n Description<\/strong><\/p>\n Due to insufficient validation in the kernel driver, an attacker can send an IOCTL request with code 0xB3702C08 to read directly from kernel memory, resulting in an arbitrary read vulnerability.<\/p>\n Impact<\/strong><\/p>\n The attacker can use this vulnerability to leak sensitive data, or chain it with other vulnerabilities to craft a more sophisticated and higher-impact exploit. The CVSS base score for this vulnerability is 4.1, and Panda assesses it as being of medium potential impact.<\/p>\nFindings by CVE<\/h2>\n
CVE-2023-6330 (Registry)<\/h3>\n
CVE-2023-6331 (OutOfBoundsRead)<\/h3>\n
CVE-2023-6332 (Arbitrary Read)<\/h3>\n