CVE-2019-17095
published 2020-01-27CVE-2019-17095: A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.23%
89.8th percentile
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitdefender | bitdefender_box_2 | >= 2.1.47.42 < 2.1.59-12 | 2.1.59-12 |
| bitdefender | bitdefender_box_2 | >= 2.1.53.45 < 2.1.59-12 | 2.1.59-12 |
| bitdefender | box_2_firmware | — | — |
| bitdefender | box_2_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
51929
snort↗
51948
- →Monitor for HTTP requests targeting the `/api/download_image` endpoint on Bitdefender BOX 2 devices, especially those originating from unexpected or spoofed infrastructure/nimbus servers supplying malicious firmware URLs. ↗
- →Detect exploitation attempts using Snort rules 51929 and 51948, available via Firepower Management Center or Snort.org. ↗
- →The attack is unauthenticated and occurs during the bootstrap stage; look for anomalous unauthenticated HTTP requests to the device's API during boot/bootstrap phase. ↗
- ·Vulnerability is only exploitable during the bootstrap stage of affected Bitdefender BOX 2 firmware versions (2.1.47.42 and 2.1.53.45 in production mode); detection should be scoped to devices running these specific versions. ↗
- ·Snort rules 51929 and 51948 are subject to change as additional vulnerability information becomes available; always reference the latest rule definitions from Firepower Management Center or Snort.org. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities
blogs_talos·2020-01-21·CVSS 8.1
[HIGH] Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities
Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware,
phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved and that an update is available for affected customers.
### Vulnerability detailsBitdefender BO
Talos
Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities
blogs_talos·2020-01-21·CVSS 8.1
[HIGH] Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities
## Vulnerability Spotlight: Bitdefender BOX 2 bootstrap remote code execution vulnerabilities
Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware,
phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved a
https://www.bitdefender.com/support/security-advisories/command-injection-vulnerability-in-bitdefender-box-v2-va-5706https://talosintelligence.com/vulnerability_reports/TALOS-2019-0919https://www.cybersecurity-help.cz/vdb/SB2020012215?affChecked=1https://www.bitdefender.com/support/security-advisories/command-injection-vulnerability-in-bitdefender-box-v2-va-5706
2020-01-27
Published