SB2019013105 - Remote code execution in Bitdefender SafePay

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Input validation error (CVE-ID: CVE-2019-6738)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists within the processing of TIScript due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a malicious page or opening a malicious file and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

2) Input validation error (CVE-ID: CVE-2019-6737)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists within handling of the openFile method due to insufficient validation of user-supplied input. A remote attacker can trick the victim into visiting a malicious page or opening a malicious file and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

3) Command injection (CVE-ID: CVE-2019-6736)

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists within the processing of tiscript due to insufficient validation of user-supplied input when processing the System.Exec method. A remote attacker can trick the victim into visiting a malicious page or opening a malicious file, inject arbitrary commands and execute arbitrary code with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise

Remediation

Install update from vendor's website.

References

• https://www.zerodayinitiative.com/advisories/ZDI-19-159/
• https://www.zerodayinitiative.com/advisories/ZDI-19-158/
• https://www.zerodayinitiative.com/advisories/ZDI-19-157/