In July 2023, an incident triggered when a driver named pskmad_64.sys (Panda Memory Access Driver) was being loaded onto a protected machine. The driver, owned by Panda Security and utilized in many of their products, raised concerns due to the increase in legitimate driver abuse.
After conducting a deep investigation into the context in which the driver was being loaded, it was revealed that the original incident was actually an APT simulation test. However, as a result of this investigation, three distinct vulnerabilities were discovered and reported to the Panda security team. These vulnerabilities were identified and tracked as CVE-2023-6330, CVE-2023-6331, and CVE-2023-6332, all of which were subsequently addressed by Panda.
The first vulnerability, CVE-2023-6330, involved improper validation of registry values in the driver which could potentially result in a non-paged memory overflow. This vulnerability was assessed by Panda to have medium potential impact.
The second vulnerability, CVE-2023-6331, allowed attackers to overflow a non-paged memory area, leading to a memory-out-of-bounds write. This vulnerability was assessed by Panda to have high potential impact.
The third vulnerability, CVE-2023-6332, was a result of insufficient validation in the kernel driver, allowing attackers to read directly from kernel memory. Panda assessed this vulnerability to have medium potential impact.
As a result of these findings, the affected driver version was identified as having the SHA256 value 2dd05470567e6d101505a834f52d5f46e0d0a0b57d05b9126bbe5b39ccb6af68 and file version 18.104.22.168. While Panda undertook its investigation, all earlier versions of the file were treated as potentially vulnerable. The affected driver was included in products such as WatchGuard EPDR (EPP, EDR, EPDR), Panda AD360, and Panda Dome, among others.
The timeline of the investigation and response from the Panda security team was as follows:
– In August 2023, proof of concept and a detailed writeup was sent to the Panda security team.
– In September 2023, the Panda security team acknowledged the report.
– In October 2023, the Panda security team informed of their plan to fix the issues.
– In December 2023, Panda informed of the three CVEs assigned to the issues.
– In January 2024, the fixes were released.
The full advisories for each of the vulnerabilities can be found on the WatchGuard site.
Overall, the discovery and subsequent reporting of these vulnerabilities serve as a proactive measure to address potential security threats and ensure the safety and integrity of the affected products.