Back

Bitdefender BOX v2 bootstrap update_setup command execution vulnerability (VA-2226)

Publication date: December 30th, 2019

CVE ID:

CVE-2019-17102

CVSS scrore:

8.3 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected vendors:

Bitdefender

Affected products:

Bitdefender BOX v2

Vulnerability details:

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands.

Additional details:

Updating to firmware version 2.1.47.36 resolves this issue.

Disclosure timeline:

2019-10-31 - Vendor Disclosure 2019-12-30 - Public Release

Credit:

Bugcrowd user Mongo