Back

Privilege escalation in Bitdefender Premium VPN client (VA-8430)

Publication date: May 26th, 2020

CVE ID:

CVE-2020-12828

CVSS scrore:

7.0 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Affected vendors:

Bitdefender

Affected products:

Bitdefender Antivirus Plus; Bitdefender Internet Security; Bitdefender Total Security

Vulnerability details:

A vulnerability in the AnchorFree VPN SDK component as used in Bitdefender Premium VPN versions 24.0.4.702 and earlier allows an attacker to pass data to a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

This issue affects AnchorFree VPN SDK 1.3.3.218 version as used in Bitdefender Premium VPN 24.0.4.702 version and prior versions.

Additional details:

An automatic update to Bitdefender Antivirus Plus; Bitdefender Internet Security; Bitdefender Total Security version 24.0.4.702 or higher fixes the issue.

Credit:

Bugcrowd user 0xsha