Panda Global Security version 17.0.1 allows local users to gain privileges or cause a denial of service by impersonating all the pipes through the use of an insecurely created named pipe.
78a633d42e79810dad6911634f7b45e9
=====[ Tempest Security Intelligence - ADV-17/2018 ]===
Panda Global Security 17.0.1 - NULL DACL grants full access
-------------------------------------------------------
Author:
- Filipe Xavier Oliveira: < filipe.xavier () tempest.com.br >
=====[ Table of Contents
]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Overview
]==============================================================
* System affected : Panda Global Security [1]
* Software Version : 17.0.1. Other versions or models may also be affected.
* Impact : A low priveliged user can access and modify the DACL of pipe
with full access allowed. The NULL DACL grants full access to any user
that requests it; normal security checking is not performed with respect
to the object.
=====[ Detailed description
]==================================================
Panda Global Protection 17.0.1 allows local users to gain privileges or
cause a denial of service by impersonating all the pipes through a use
of \\.\pipe\PSANMSrvcPpal -- an "insecurely created named pipe."
Ensures full access to Everyone users group.
=====[ Timeline of disclosure
]===============================================
26/01/2018 - Vendor was informed of the vulnerability.
01/26/2018 - CVE assigned [2].
02/05/2018 - Vendor did not respond.
03/06/2018 - Advisory publication date.
=====[ Thanks & Acknowledgements
]============================================
- Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References
]===========================================================
[1] - https://www.pandasecurity.com
[2] - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6322
[3] - http://www.tempest.com.br/
--
Filipe Oliveira
Tempest Security Intelligence