Back

Command injection vulnerability in Bitdefender BOX v2 (VA-5706)

Publication date: January 22nd, 2020

CVE ID:

CVE-2019-17095

CVSS scrore:

8.1 - https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected vendors:

Bitdefender

Affected products:

Bitdefender BOX v2

Vulnerability details:

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate ai infrastructure server to trigger this vulnerability.

Additional details:

An update that mitigates the issue has been delivered in: Bitdefender Central Android App version 2.0.66.88 Bitdefender Central iOS App version 2.0.66

Credit:

Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos