CVE-2024-7245
📋 TL;DR
This vulnerability in Panda Security Dome VPN allows local attackers to escalate privileges from a low-privileged user account to SYSTEM level by exploiting incorrect folder permissions set by the Hydra Sdk Windows Service. It affects installations of Panda Security Dome where an attacker already has initial access to execute code. The flaw enables arbitrary code execution with highest system privileges.
💻 Affected Systems
- Panda Security Dome VPN
📦 What is this software?
Panda Dome by Pandasecurity
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.
Likely Case
Local privilege escalation leading to administrative control over the affected system, allowing attackers to disable security controls and maintain persistence.
If Mitigated
Limited impact if proper access controls prevent initial low-privileged code execution and folder permissions are properly managed.
🎯 Exploit Status
Exploitation requires local access and ability to execute low-privileged code first. The vulnerability is straightforward to exploit once initial access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in available references
Vendor Advisory: https://www.zerodayinitiative.com/advisories/ZDI-24-1015/
Restart Required: Yes
Instructions:
1. Check Panda Security Dome version. 2. Apply latest security updates from Panda Security. 3. Restart affected systems. 4. Verify folder permissions are corrected.
🔧 Temporary Workarounds
Restrict folder permissions
windowsManually set proper permissions on folders created by Hydra Sdk Windows Service to prevent unauthorized write access.
icacls "C:\Path\To\Vulnerable\Folder" /inheritance:r
icacls "C:\Path\To\Vulnerable\Folder" /grant SYSTEM:F
icacls "C:\Path\To\Vulnerable\Folder" /grant Administrators:F
Disable vulnerable service
windowsTemporarily disable Hydra Sdk Windows Service if not required for operations.
sc stop "HydraSdkService"
sc config "HydraSdkService" start= disabled
🧯 If You Can't Patch
- Implement strict access controls to prevent initial low-privileged code execution
- Monitor and audit folder permission changes and service activities
🔍 How to Verify
Check if Vulnerable:
Check if Panda Security Dome is installed and review folder permissions created by Hydra Sdk service for excessive write permissions.Check Version:
Check Panda Security Dome version through control panel or vendor documentationVerify Fix Applied:
Verify Panda Security Dome is updated to latest version and check that vulnerable folder permissions have been corrected.📡 Detection & Monitoring
Log Indicators:
- Unexpected folder permission changes
- Suspicious service activities from Hydra Sdk
- Privilege escalation attempts
Network Indicators:
- Unusual outbound connections from systems with Panda Security Dome
SIEM Query:
EventID=4688 AND ProcessName LIKE '%hydra%' OR EventID=4672 AND AccountName='SYSTEM' following low-privileged user activity