Our proactive behavior rules were activated in July 2023 in response to an attempt to load a driver with the name pskmad_64. On a secure machine, use Panda Memory Access Driver. Panda Security is the owner of the driver, which is utilized in many of their products.
We started to look into and dig deeper into the file because of the rise in legitimate driver abuse with the aim of disabling EDR products ( an issue we looked at in our piece on compromised Microsoft signed drivers several months ago ) and the context in which that driver was loaded.
The initial incident was classified as an APT simulation test after re-evaluation and customer interaction. However, the results of our investigation revealed three different vulnerabilities, which we reported to the Panda security team. Panda has taken care of these flaws, which are now known as CVE- 2023 – 6330, CCE’2023 to 6331, and SVE to 2026 to 632. For each CVE listed below, you can find information from Panda on their flaws and fixes.
Results from CVE
CVE-2023-6330 ( Registry )
Description
The registry hive” REGISTRYMACHINE SOFTWAREMicrosoft Windows NTCurrentVersion” contains a number of helpful pieces of data used to identify the OS version. The Service Pack level of the operating system is represented by the CSDVersion. The number of the corresponding build is CSDBuildNumber.
pskmad_64 is the driver. The content of these registry values is not properly validated by Sys. A non-paged memory overflow can be caused by maliciously crafted content being inserted into CSDBuildNumber or C SDVersion by an attacker.
Impact
A denial of service is the least significant effect. An attacker may be able to obtain RCE by chainingCVE-2023-6330 with other vulnerabilities with more research. Panda evaluates this vulnerability’s CVSS base score of 6.4 and determines that it has a medium potential impact.
On the WatchGuard website, you can access the complete advisory for this problem at WGSA-2024-00001, or” WatchGUard Endpoint pskmad_64.” Memory corruption vulnerability in systems pools.
6331 ( OutOfBounds Read ) CVE- 2023
Description
A maliciously constructed packet can overflow a non-paged memory area by sending it to the driver via an IRP request with the IOCTL code 0xB3702C08, resulting in an out-of-bounds write. When moving data via memmove to a non-paged memory pool, the vulnerability is caused by missing bounds checks.
Impact
A denial of service is the least significant effect. When CVE-2023- 6331 is combined with other vulnerabilities, an attacker may be able to execute remote code with more research. Although this vulnerability’s CVSS base score is also 6.4, Panda considers it to have a high potential impact.
The complete advisory for this problem is available at the WatchGuard website under the name WGSA 2024- 00002. Write Vulnerability Out of Bounds.
6332 ( Arbitrary Read ) CVE- 2023
Description
An attacker can send an IOCTL request with code 0xB3702C08 to read directly from kernel memory due to insufficient kernel driver validation, leading to an arbitrary read vulnerability.
Impact
This vulnerability can be exploited by an attacker to leak sensitive data or to combine it with other vulnerabilities to create a more complex and powerful exploit. This vulnerability has a CVSS base score of 4.1, and Panda considers its impact to be of medium potential.
The complete advisory for this problem is available at the WatchGuard website under the name WGSA 2024- 00003. Arbitrary Memory Read Vulnerability Sys.
Products that are impacted
The file we looked into has version 1.1.0.21 and the SHA256 value 2dd05476767e6d101505a834f52d5f46e0d0a0b57d55b9126bbe5b39ccb6af68. As we awaited the findings of Panda’s own investigation, we treated all earlier versions of the file as potentially vulnerable out of extreme caution. Their investigation supported this strategy.
The affected driver is included in the following products, as stated in Panda’s advisories:
- Up to 8.00.22.0023, WatchGuard EPDR ( EPP, EDR,EPDR) and Panda AD360 are available.
- ( Essential, Advanced, Complete, and Premium versions ) Panda Dome is available as of February 22.
The consumer product, Panda Dome, has a fixed version that is 22.02.01. The enterprise product WatchGuard EPDR and AD360 have fixed versions of 8.0.22.0023.
Timeline
2023-08-28: Concept proof and thorough write-up sent to the Panda security team.
Panda security team responded and acknowledged our report in 2023, 09, and 21.
The Panda security team informed us of their strategy for resolving the problems in 2023 ( 10–30 ).
Panda informs us of the three CVEs assigned to these problems in 2023, 12 and 06 respectively.
2024- 01 – 18: Fixes made public.