Security researchers discovered critical security driver vulnerabilities in Panda Security software. This chain of flaws abuses legitimate drivers to disable EDR products. Despite having relatively low CVSS scores, they may be rather efficient in real-world attacks.
Panda Security Driver Vulnerabilities Uncovered
Researchers have unearthed three critical vulnerabilities in a security driver extensively utilized across various digital platforms. The driver in question is pskmad_64.sys, which belongs to Panda Security. Although the vulnerability was discovered in July 2023, the company provided a patch only in January 2024.
By more detailed analysis, the experts discovered that the initial incident happened during the penetration testing procedure. The red team elaborated and used those vulnerabilities during the attack. Now, they received the codes of CVE-2023-6330, CVE-2023-6331 and CVE-2023-6332 respectively.
Analysis of the Flaws
The first vulnerability is CVE-2023-6330, which has CVSS 6.4 and is registry-related. Because the driver did not correctly validate the contents of these registry values, an attacker could place malicious content into the correct values. This could have resulted in a memory overflow. The minimum damage from this vulnerability is a denial of service.
The second vulnerability, CVE-2023-6331, also has CVSS 6.4, but Panda rates it as high. The vulnerability is related to the lack of bounds checking while moving data via memmove to an unloadable memory pool. An attacker can send a maliciously crafted packet to the driver using an IRP request with IOCTL code 0xB3702C08. This action will cause an overflow of the unloadable memory pool, resulting in an out-of-memory write. The minimum damage is a denial of service.
The third vulnerability CVE-2023-6332 has CVSS 4.1 and consists of insufficient request validation in the kernel driver. That is, an attacker can send a specific read request directly from kernel memory, causing sensitive data to be leaked. Although at first glance all these vulnerabilities seem harmless, in combination with other vulnerabilities they can cause more serious damage.
Antivirus Drivers Exploitation – A New Trend?
The story around vulnerable Panda Security drivers is strangely similar to the recent news about a tactic employed by Kasseika ransomware. Within a course of BYOVD attack, the latter exploited a flawed driver of a VirIT Agent System security solution. Such an approach allowed hackers to list all the processes running in the environment and suspend the ones related to the security tools.
Overall, the idea of using vulnerable drivers in cyberattacks is not new. Though targeting specifically antivirus/antimalware software drivers appears to be a new trend. Such drivers have deeper system integration, leading to more comprehensive control over the system in case of a successful exploitation. Moreover, security tools themselves usually consider these drivers safe and legit, meaning that attackers can stay under the radar even having their “main weapon” deployed directly on the disk.
How to stay protected?
To ensure your safety and security, keeping your software and security systems up to date is crucial. Thus, conducting routine system audits and implementing robust security protocols can also help protect against potential exploits. In addition, there are more detailed recommendations that address current vulnerabilities.