CVE-2024-7241
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Panda Security Dome installations by exploiting a link following flaw in the PSANHost service. Attackers with initial low-privileged access can create junctions to write arbitrary files and gain SYSTEM-level code execution. Only Panda Security Dome users are affected.
💻 Affected Systems
- Panda Security Dome
📦 What is this software?
Panda Dome by Pandasecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation leading to administrative control of the affected endpoint, potentially enabling further attacks within the environment.
If Mitigated
Limited impact if proper endpoint security controls prevent initial low-privileged code execution and privilege escalation attempts are monitored.
🎯 Exploit Status
Exploitation requires existing low-privileged access. The vulnerability has been assigned ZDI-CAN-23375 and published by Zero Day Initiative, suggesting potential exploit development.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Panda Security Dome updates for specific version
Vendor Advisory: https://www.pandasecurity.com/en/support/card?id=100066
Restart Required: Yes
Instructions:
1. Open Panda Security Dome console. 2. Check for available updates. 3. Apply the latest security update. 4. Restart affected systems to ensure PSANHost service runs patched version.
🔧 Temporary Workarounds
Restrict PSANHost Service Permissions
windowsModify PSANHost service permissions to prevent low-privileged users from interacting with it
sc sdset PSANHost D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
Disable PSANHost Service
windowsTemporarily disable the vulnerable service if not critically needed
sc config PSANHost start= disabled
sc stop PSANHost
🧯 If You Can't Patch
- Implement strict endpoint security controls to prevent initial low-privileged code execution
- Monitor for suspicious junction creation and PSANHost service activity using EDR/SIEM tools
🔍 How to Verify
Check if Vulnerable:
Check Panda Security Dome version and compare against patched versions in vendor advisory. Also verify PSANHost service is running.Check Version:
Check Panda Dome interface or installed programs list for version informationVerify Fix Applied:
Verify Panda Security Dome is updated to latest version and PSANHost service shows updated file version/timestamp.📡 Detection & Monitoring
Log Indicators:
- Unusual junction/symlink creation events
- PSANHost service writing to unexpected locations
- Process creation from PSANHost with SYSTEM privileges
Network Indicators:
- None - local exploitation only
SIEM Query:
EventID=4688 AND NewProcessName="*PSANHost*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"