Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities

2020-01-21T09:29:09
ID TALOSBLOG:52E2428EE886F4A80CA4B16A8132322B
Type talosblog
Reporter noreply@blogger.com (Jon Munshaw)
Modified 2020-01-21T09:29:09

Description


__Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware,

phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Bitdefender BOX 2 bootstrap download_image command injection vulnerability (TALOS-2019-0919/CVE-2019-CVE-2019-17095, CVE-2019-17096)

An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. An unauthenticated attacker should impersonate a remote nimbus server to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Bitdefender BOX 2 bootstrap update_setup command execution vulnerability (TALOS-2019-0918)

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method /api/update_setup does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. To trigger this vulnerability, an unauthenticated attacker can send a series of HTTP requests to the device while in the bootstrap stage.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that version 2.0.1.91 (in bootstrap mode), 2.1.47.42 and 2.1.53.45 (in production mode) of Bitdefender BOX 2 is affected by these vulnerabilities.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51929, 51948