CVE-2024-7243
📋 TL;DR
This vulnerability allows local attackers with initial low-privileged access to escalate privileges to SYSTEM level by exploiting a symbolic link/junction handling flaw in Panda Security Dome's PSANHost executable. Attackers can create arbitrary files through this flaw, leading to full system compromise. Only Panda Security Dome installations are affected.
💻 Affected Systems
- Panda Security Dome
📦 What is this software?
Panda Dome by Pandasecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data destruction.
Likely Case
Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls, install additional malware, and maintain persistence.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and application whitelisting are enforced, though the vulnerability still provides a path to privilege escalation.
🎯 Exploit Status
Exploitation requires local access and ability to create junctions/symbolic links. The vulnerability was reported through ZDI (ZDI-CAN-23413), suggesting potential for weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-1013/
Restart Required: Yes
Instructions:
1. Check Panda Security's official security advisories for patch availability
2. Apply the latest security update for Panda Security Dome
3. Restart affected systems to ensure patch activation
4. Verify the patch has been successfully applied
🔧 Temporary Workarounds
Restrict Junction Creation
windowsLimit ability to create symbolic links/junctions to administrators only using Windows security policies
Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Create symbolic links
Application Control
windowsImplement application whitelisting to prevent unauthorized execution of low-privileged code
🧯 If You Can't Patch
- Implement strict least privilege principles to limit initial low-privileged access
- Monitor for suspicious file creation activities and junction/symlink operations in system logs
🔍 How to Verify
Check if Vulnerable:
Check if Panda Security Dome is installed and identify the version. Look for PSANHost.exe in running processes or installation directory.Check Version:
Check Panda Security Dome's administrative console or about dialog for version informationVerify Fix Applied:
Verify Panda Security Dome has been updated to a version after the vulnerability was patched. Check vendor advisories for fixed version numbers.📡 Detection & Monitoring
Log Indicators:
- Unusual file creation events in system directories
- Process creation events for PSANHost.exe with suspicious parameters
- Security log events related to privilege escalation attempts
Network Indicators:
- Not applicable - this is a local privilege escalation vulnerability
SIEM Query:
Process creation where (process_name contains 'PSANHost.exe' AND command_line contains suspicious parameters) OR (file_create events in sensitive system locations from non-admin users)