The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Panda AV

vulnerability alert CVE-2017-5565 CVE-2017-5566 CVE-2017-5567

Antivirus: privilege escalation via Microsoft Application Verifier

Synthesis of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Impacted products: Avast AV, NOD32 Antivirus, F-Secure AV, AVG AntiVirus, McAfee MOVE AntiVirus, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, TrendMicro Internet Security, OfficeScan.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 5.
Creation date: 22/03/2017.
Identifiers: 1116957, CVE-2017-5565, CVE-2017-5566, CVE-2017-5567, CVE-2017-6186, CVE-2017-6417, VIGILANCE-VUL-22211.

Description of the vulnerability

An attacker can bypass restrictions via Microsoft Application Verifier of Antivirus, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 19977

Panda Antivirus, Panda Internet Security: privilege escalation via bcryptprimitives.dll

Synthesis of the vulnerability

An attacker can create a DLL "bcryptprimitives.dll" of the installation folder of Panda Antivirus and Panda Internet Security, in order to get system privileges.
Impacted products: Panda AV, Panda Internet Security.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 27/06/2016.
Identifiers: VIGILANCE-VUL-19977.

Description of the vulnerability

The Panda Antivirus and Panda Internet Security products are made of several modules, some of them do not exist on every platform.

The library bcryptprimitives.dll is part of these modules, but the product always tries to load it. However, the folder where the library is looked for is writable by ordinary users. An attacker can create a DLL with this name in this folder and it will be run with the system privileges (account NT_AUTHORITY\SYSTEM). This vulnerability is similar to the one described in VIGILANCE-VUL-19558.

An attacker can therefore create a DLL "bcryptprimitives.dll" of the installation folder of Panda Antivirus and Panda Internet Security, in order to get system privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 18671

Windows: code execution during application installation

Synthesis of the vulnerability

An attacker can invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Impacted products: 7-Zip, ZoneAlarm, FileZilla Server, GIMP, Chrome, Kaspersky AV, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, Opera, Panda AV, Panda Internet Security, PuTTY, OfficeScan, TrueCrypt, VLC.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 11/01/2016.
Identifiers: sk110055, VIGILANCE-VUL-18671.

Description of the vulnerability

When a user installs a new application on Windows, he downloads the installation program (install.exe for example), and then runs it.

However, several installation programs load DLL (for example graph.dll) from the current directory. So, if an attacker invited the victim to download a malicious graph.dll file, before he runs install.exe from the Download directory, the code located in the DLL is run.

See also the bulletin VIGILANCE-VUL-19558 for other impacted products.

An attacker can therefore invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-1438

Panda AV/IS: memory corruption via PSKMAD.sys

Synthesis of the vulnerability

A local attacker can generate a memory corruption in PSKMAD.sys of Panda AV/IS, in order to trigger a denial of service, and possibly to run code with system privileges.
Impacted products: Panda AV, Panda Internet Security.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 15/07/2015.
Identifiers: CVE-2015-1438, VIGILANCE-VUL-17401.

Description of the vulnerability

The Panda products install the PSKMAD.sys driver.

However, a local attacker can interact with this driver, to corrupt its memory.

A local attacker can therefore generate a memory corruption in PSKMAD.sys of Panda AV/IS, in order to trigger a denial of service, and possibly to run code with system privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 16617

Panda Antivirus, Internet Security: privilege escalation via Debug

Synthesis of the vulnerability

A local attacker can debug the password verification process of Panda Antivirus or Internet Security, in order to alter the configuration.
Impacted products: Panda AV, Panda Internet Security.
Severity: 1/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 15/04/2015.
Identifiers: SYSS-2015-012, SYSS-2015-013, VIGILANCE-VUL-16617.

Description of the vulnerability

The Panda Antivirus and Panda Internet Security products use a password to protect the access to their configuration.

The PSUAMain.exe (PSUNConsole.dll) program manages the verification of this password. However, this programs run as the current user.

A local attacker can therefore debug the password verification process of Panda Antivirus or Internet Security, in order to alter the configuration.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2014-5307

Panda Security: buffer overflow of PavTPK.sys

Synthesis of the vulnerability

An attacker can generate a buffer overflow in PavTPK.sys of Panda Security, in order to trigger a denial of service, and possibly to execute code with the kernel privilege level.
Impacted products: Panda AV, Panda Internet Security.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, denial of service on server, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 20/08/2014.
Identifiers: CVE-2014-5307, VIGILANCE-VUL-15212.

Description of the vulnerability

The Panda Security products include a device driver PavTPK.sys, which any user process can communicate to via ioctls calls.

The ioctl command the number of which is 0×222008 takes a buffer as an argument. The data length is deduced from a data structure provided by the Windows kernel but reachable by the user process. So the process can make the driver copy onto the kernel space more data than it can mange.

An attacker can therefore generate a buffer overflow in PavTPK.sys of Panda Security, in order to trigger a denial of service, and possibly to run code with the kernel privilege level.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2014-3450

Panda AV, IS: privilege escalation

Synthesis of the vulnerability

A local attacker can use a vulnerability of Panda AV Pro or Internet Security, in order to escalate his privileges.
Impacted products: Panda AV, Panda Internet Security.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Creation date: 21/05/2014.
Identifiers: CVE-2014-3450, VIGILANCE-VUL-14777.

Description of the vulnerability

A local attacker can use a vulnerability of Panda AV Pro or Internet Security, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2012-1420 CVE-2012-1432 CVE-2012-1433

Panda Antivirus: bypassing via CAB, ELF, EXE, TAR, ZIP

Synthesis of the vulnerability

An attacker can create an archive or a program containing a virus, which is not detected by Panda Antivirus.
Impacted products: Panda AV, Panda Internet Security.
Severity: 2/4.
Consequences: data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 18.
Creation date: 21/03/2012.
Identifiers: BID-52582, BID-52592, BID-52593, BID-52594, BID-52595, BID-52596, BID-52598, BID-52600, BID-52601, BID-52602, BID-52604, BID-52605, BID-52606, BID-52608, BID-52614, BID-52615, BID-52621, BID-52623, CVE-2012-1420, CVE-2012-1432, CVE-2012-1433, CVE-2012-1434, CVE-2012-1435, CVE-2012-1436, CVE-2012-1439, CVE-2012-1440, CVE-2012-1442, CVE-2012-1444, CVE-2012-1445, CVE-2012-1446, CVE-2012-1447, CVE-2012-1453, CVE-2012-1454, CVE-2012-1456, CVE-2012-1459, CVE-2012-1463, VIGILANCE-VUL-11471.

Description of the vulnerability

Tools extracting archives (CAB, TAR, ZIP, etc.) accept to extract archives which are slightly malformed. Systems also accept to execute programs (ELF, EXE) which are slightly malformed. However, Panda Antivirus does not detect viruses contained in these archives/programs.

A TAR archive containing "\7fELF" as its first 4 bytes bypasses the detection. [severity:1/4; BID-52615, CVE-2012-1420]

An EXE program containing "\57\69\6E\5A\69\70" at offset 29 bypasses the detection. [severity:2/4; BID-52594, CVE-2012-1432]

An EXE program containing "\4a\46\49\46" at offset 6 bypasses the detection. [severity:2/4; BID-52596, CVE-2012-1433]

An EXE program containing "\19\04\00\10" at offset 8 bypasses the detection. [severity:2/4; BID-52582, CVE-2012-1434]

An EXE program containing "\50\4B\4C\49\54\45" at offset 30 bypasses the detection. [severity:2/4; BID-52592, CVE-2012-1435]

An EXE program containing "\2D\6C\68" at offset 3 bypasses the detection. [severity:2/4; BID-52593, CVE-2012-1436]

An ELF program containing a large "padding" field bypasses the detection. [severity:2/4; BID-52602, CVE-2012-1439]

An ELF program containing a large "identsize" field bypasses the detection. [severity:2/4; BID-52595, CVE-2012-1440]

An EXE program containing a large "class" field bypasses the detection. [severity:2/4; BID-52598, CVE-2012-1442]

An ELF program containing a large "abiversion" field bypasses the detection. [severity:2/4; BID-52604, CVE-2012-1444]

An ELF program containing a large "abi" field bypasses the detection. [severity:2/4; BID-52605, CVE-2012-1445]

An ELF program containing a large "encoding" field bypasses the detection. [severity:2/4; BID-52600, CVE-2012-1446]

An ELF program containing a large "e_version" field bypasses the detection. [severity:2/4; BID-52601, CVE-2012-1447]

A CAB archive containing a large "coffFiles" field bypasses the detection. [severity:1/4; BID-52621, CVE-2012-1453]

An ELF program containing a large "ei_version" field bypasses the detection. [severity:2/4; BID-52606, CVE-2012-1454]

A ZIP archive starting by TAR data bypasses the detection. [severity:1/4; BID-52608, CVE-2012-1456]

A TAR archive with a header containing a large value bypasses the detection. [severity:1/4; BID-52623, CVE-2012-1459]

An ELF program with a changed 5th byte bypasses the detection. [severity:2/4; BID-52614, CVE-2012-1463]

An attacker can therefore create an archive containing a virus which is not detected by the antivirus, but which is extracted by extraction tools. The virus is then detected once it has been extracted on victim's computer. An attacker can also create a program, containing a virus which is not detected by the antivirus, but which can be run by the system.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert 9746

Panda AV, IS: buffer overflow of RKPavProc.sys

Synthesis of the vulnerability

A local attacker can generate a buffer overflow in the Panda RKPavProc.sys driver, in order to obtain system privileges.
Impacted products: Panda AV, Panda Internet Security.
Severity: 2/4.
Consequences: administrator access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 07/07/2010.
Identifiers: 20100630 80184 EN, BID-41428, NTIADV0905, VIGILANCE-VUL-9746.

Description of the vulnerability

The Panda Antivirus and Panda Internet Security products install the driver RKPavProc.sys to detect RootKits. This driver is impacted by two vulnerabilities.

A local attacker can use the ioctl 0x1FA50004, in order to force RKPavProc.sys to dereference a NULL pointer, which generates a denial of service. [severity:1/4]

A local attacker can use the ioctl 0x1FA50010, in order to generate a buffer overflow in RKPavProc.sys, which leads to code execution with system privileges. [severity:2/4]

A local attacker can therefore generate a buffer overflow in the Panda RKPavProc.sys driver, in order to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2010-5151 CVE-2010-5152 CVE-2010-5154

Antivirus: bypassing SSDT Hooking

Synthesis of the vulnerability

When an antivirus redirects the SSDT to detect viruses, a local attacker can use an atomicity error, in order to bypass this protection.
Impacted products: Avast AV, CA Antivirus, F-Secure AV, AVG AntiVirus, Kaspersky AV, VirusScan, Norton Antivirus, Norton Internet Security, Panda AV, Panda Internet Security, Symantec AV.
Severity: 2/4.
Consequences: administrator access/rights, data flow.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 13.
Creation date: 10/05/2010.
Revision date: 11/05/2010.
Identifiers: CVE-2010-5151, CVE-2010-5152, CVE-2010-5154, CVE-2010-5156, CVE-2010-5161, CVE-2010-5163, CVE-2010-5166, CVE-2010-5167, CVE-2010-5168, CVE-2010-5171, CVE-2010-5172, CVE-2010-5177, CVE-2010-5179, VIGILANCE-VUL-9633.

Description of the vulnerability

The SSDT table (System Service Descriptor Table) contains references of system calls:
 - NtCreateKey : create a key in registry
 - NtCreateThread : create a thread
 - NtDeleteFile : delete a file
 - etc.

Antiviruses redirect entries of this table to verification functions. Several implementations check parameters, and then call the origin system call. However, between these two operations, a local attacker can change parameters of the system call. A attacker can therefore create a program using legitimate parameters, and then change them just before the system call.

When an antivirus redirects the SSDT to detect viruses, a local attacker can therefore use an atomicity error, in order to bypass this protection.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Panda AV: