3 matches found
CVE-2019-17102
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution of system...
CVE-2019-17102 Bitdefender BOX v2 bootstrap update_setup command execution vulnerability (VA-2226)
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/updatesetup does not perform firmware signature checks atomically, leading to an exploitable race condition TOCTTOU that allows arbitrary execution of system...
CVE-2019-17102
The CVE-2019-17102 issue affects Bitdefender BOX 2 bootstrapping. A TOCTTOU race condition arises in the update_setup flow: POST requests to /api/update_setup acquire an atomic lock, but the parallel forked update_setup runs install_full_ws after extracting a signed full_ws.tar.gz. An attacker ca...