Back

Insecure Trust of certificates using collision hash functions in Bitdefender Total Security HTTPS Scanning (VA-11239)

Publication date: October 18th, 2024


CVE ID:
CVE-2023-49567
CVSS scrore:
8.6 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N
Affected vendors:
Bitdefender
Affected products:
Total Security
Vulnerability details:

A vulnerability has been identified in the Bitdefender Total Security HTTPS scanning functionality where the product incorrectly checks the site’s certificate, which allows an attacker to make MITM SSL connections to an arbitrary site. The product trusts certificates that are issued using the MD5 and SHA1 collision hash functions which allow attackers to create rogue certificates that appear legitimate.

Additional details:
An automatic update to product version 27.0.25.115 fixes the issue.