Back

Bitdefender BOX v2 bootstrap update_setup command execution vulnerability (VA-2226)

Publication date: December 30th, 2019


CVE ID:
CVE-2019-17102
CVSS scrore:
8.3 - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected vendors:
Bitdefender
Affected products:
Bitdefender BOX v2
Vulnerability details:

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands.

Additional details:
Updating to firmware version 2.1.47.36 resolves this issue.
Disclosure timeline:
2019-10-31 - Vendor Disclosure 2019-12-30 - Public Release
Credit:
Bugcrowd user Mongo