CVE-2019-12042
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Panda security products where insecure permissions on shared memory objects allow attackers to queue malicious events to the AgentSvc.exe system service. When exploited, this enables attackers to execute arbitrary commands with SYSTEM privileges. All Panda Antivirus, Panda Dome, Panda Global Protection, Panda Gold Protection, and Panda Internet Security users with versions before 18.07.03 are affected.
💻 Affected Systems
- Panda Antivirus
- Panda Antivirus Pro
- Panda Dome
- Panda Global Protection
- Panda Gold Protection
- Panda Internet Security
📦 What is this software?
Panda Antivirus by Pandasecurity
Panda Antivirus Pro by Pandasecurity
Panda Dome by Pandasecurity
Panda Global Protection by Pandasecurity
Panda Gold Protection by Pandasecurity
Panda Internet Security by Pandasecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, disable security controls, and pivot to other systems.
Likely Case
Local attackers gain SYSTEM privileges to install additional malware, disable security software, or access protected system resources.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are enforced, though local compromise remains possible.
🎯 Exploit Status
Multiple public proof-of-concept exploits exist on GitHub and security blogs. Exploitation requires local access but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.07.03 and later
Vendor Advisory: https://www.pandasecurity.com/usa/support/card?id=100063
Restart Required: Yes
Instructions:
1. Open Panda security product. 2. Navigate to Settings/Updates. 3. Check for updates and install version 18.07.03 or later. 4. Restart the computer to ensure the patch is fully applied.
🔧 Temporary Workarounds
Remove vulnerable Panda products
windowsUninstall affected Panda security products until they can be updated to patched versions.
Control Panel > Programs > Uninstall a program > Select Panda product > Uninstall
Restrict access to shared objects
windowsModify permissions on Global\PandaDevicesAgentSharedMemory and Global\PandaDevicesAgentSharedMemoryChange objects to restrict write access.
Requires advanced Windows security configuration and may break Panda functionality
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege principles and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Panda product version in the application interface or via 'wmic product get name,version' command and verify it's below 18.07.03Check Version:
wmic product where "name like '%Panda%'" get name,versionVerify Fix Applied:
Confirm Panda product version is 18.07.03 or higher and test that the AgentSvc.exe service properly validates event queue permissions📡 Detection & Monitoring
Log Indicators:
- Unusual AgentSvc.exe activity
- Privilege escalation attempts
- Creation of unexpected processes with SYSTEM privileges
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=4688 AND NewProcessName='*\AgentSvc.exe' AND ParentProcessName NOT LIKE '%Panda%'🔗 References
- https://github.com/SouhailHammou/Panda-Antivirus-LPE
- https://rce4fun.blogspot.com/2019/05/panda-antivirus-local-privilege.html
- https://www.pandasecurity.com/usa/support/card?id=100063
- https://github.com/SouhailHammou/Panda-Antivirus-LPE
- https://rce4fun.blogspot.com/2019/05/panda-antivirus-local-privilege.html
- https://www.pandasecurity.com/usa/support/card?id=100063
