Multiple vulnerabilities discovered in widely used security driver

Credit to Author: Angela Gunn| Date: Thu, 25 Jan 2024 19:00:52 +0000

In July 2023, our proactive behavior rules triggered on an attempt to load a driver named pskmad_64.sys (Panda Memory Access Driver) on a protected machine. The driver is owned by Panda Security and used in many of their products.

Due to the rise in legitimate driver abuse with the goal of disabling EDR products (an issue we examined in our piece on compromised Microsoft signed drivers several months ago), and the context in which that driver was loaded, we started to investigate and dove deeper into the file.

After re-evaluation and engagement with the customer, the original incident was identified as an APT simulation test. Our investigation, however, led to the discovery of three distinct vulnerabilities we reported to the Panda security team. These vulnerabilities, now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Information from Panda on the vulnerabilities and fixes for them can be found as noted for each CVE below.

Findings by CVE

CVE-2023-6330 (Registry)

Description

The registry hive \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion contains multiple useful pieces of information used to determine the OS version. The CSDVersion represents the Service Pack level of the operation system. CSDBuildNumber is the number of the corresponding build.

The driver pskmad_64.sys does not properly validate the content of these registry values. An attacker can place maliciously crafted content into CSDBuildNumber or CSDVersion, which results in a non-paged memory overflow.

Impact

The minimum impact is a denial of service. With additional research, an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other vulnerabilities. The CVSS base score for this vulnerability is 6.4 and Panda assesses it as being of medium potential impact.

The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Memory Corruption Vulnerability.”

CVE-2023-6331 (OutOfBoundsRead)

Description

By sending a maliciously crafted packet via an IRP request with IOCTL code 0xB3702C08 to the driver, an attacker can overflow a non-paged memory area, resulting in a memory-out-of-bounds write. The vulnerability exists due to missing bounds check when moving data via memmove to a non-paged memory pool.

Impact

The minimum impact is a denial of service. With additional research, an attacker might be able to achieve remote code execution when CVE-2023-6331 is combined with other vulnerabilities. The CVSS base score for this vulnerability is also 6.4, but Panda assesses it as being of high potential impact.

The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00002, “WatchGuard Endpoint pskmad_64.sys Out of Bounds Write Vulnerability.”

CVE-2023-6332 (Arbitrary Read)

Description

Due to insufficient validation in the kernel driver, an attacker can send an IOCTL request with code 0xB3702C08 to read directly from kernel memory, resulting in an arbitrary read vulnerability.

Impact

The attacker can use this vulnerability to leak sensitive data, or chain it with other vulnerabilities to craft a more sophisticated and higher-impact exploit. The CVSS base score for this vulnerability is 4.1, and Panda assesses it as being of medium potential impact.

The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00003, “WatchGuard Endpoint pskmad_64.sys Arbitrary Memory Read Vulnerability.”

Affected Products

The file we investigated has the SHA256 value 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file version 1.1.0.21. Out of an abundance of caution, while Panda undertook its investigation, we treated all earlier versions of the file as potentially vulnerable as we awaited the results of Panda’s own investigation; their investigation confirmed this approach.

As stated in Panda’s advisories, the affected driver is included in the following products:

  • WatchGuard EPDR (EPP, EDR, EPDR) and Panda AD360 up to 8.00.22.0023
  • Panda Dome up to 22.02.01 (Essential, Advanced, Complete, and Premium versions)

The fixed version of Panda Dome, the consumer product, is 22.02.01. The fixed version of WatchGuard EPDR and AD360, the enterprise product, is 8.0.22.0023.

Timeline

2023-08-28: Proof of concept and detailed writeup sent to the Panda security team.

2023-09-21: Panda security team responded and acknowledged our report.

2023-10-30: Panda security team informed us of their plan to fix the issues.

2023-12-06: Panda informs us of the three CVEs assigned to these issues.

2024-01-18: Fixes released.

http://feeds.feedburner.com/sophos/dgdY