Skip to content Skip to footer

Multiple vulnerabilities discovered in widely used security driver

In July 2023, our proactive behavior rules triggered on an attempt to load a driver named pskmad_64.sys (Panda Memory Access Driver) on a protected machine. The driver is owned by Panda Security and used in many of their products. Due to the rise in legitimate driver abuse with the goal of disabling EDR products (an issue we examined in our piece on compromised signed drivers several months ago), and the context in which that driver was loaded, we started to investigate and dove deeper into the file. After re-evaluation and engagement with the customer, the original incident was identified as an simulation test. Our investigation, however, led to the discovery of three distinct we reported to the Panda security team. These , now tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, have been addressed by Panda. Information from Panda on the and fixes for them can be found as noted for each CVE below. Findings by CVE CVE-2023-6330 (Registry) Description The registry hive \REGISTRY\MACHINE\SOFTWARE\\ NT\CurrentVersion contains multiple useful pieces of information used to determine the OS version. The CSDVersion represents the Service Pack level of the operation system. CSDBuildNumber is the number of the corresponding build. The driver pskmad_64.sys does not properly validate the content of these registry values. An attacker can place maliciously crafted content into CSDBuildNumber or CSDVersion, which results in a non-paged memory overflow. Impact The minimum impact is a denial of service. With additional research, an attacker might be able to achieve RCE by chaining CVE-2023-6330 with other . The CVSS base score for this is 6.4 and Panda assesses it as being of medium potential impact. The full advisory for this issue is available on the WatchGuard site as WGSA-2024-00001, “WatchGuard Endpoint pskmad_64.sys Pool Memory Corruption .” CVE-2023-6331 (OutOfBoundsRead) Description By sending… 

Sophos News

Read More

Leave a comment

0.0/5

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Reveal your creation date or I will disassemble your code one operation at a time!Tron

Deitasoft © 2024. All Rights Reserved.