Main Vulnerability Database SB2020012214

SB2020012214 - Remote command execution in Bitdefender BOX 2

Published: January 22, 2020

Security Bulletin ID SB2020012214

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Resource Locking (CVE-ID: CVE-2019-17102)

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists in the recovery partition of Bitdefender BOX 2 due to the API method "/api/update_setup" does not perform firmware signature checks atomically. A remote attacker can send a series of HTTP requests to the device while in the bootstrap stage, cause race condition and execute arbitrary commands on the system.

Remediation

Install update from vendor's website.

References

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0918