BitDefender BOX 2 up to 2.0.1.90 API /api/update_setup System Command improper resource locking
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.4 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, has been found in BitDefender BOX 2 up to 2.0.1.90. Affected by this issue is an unknown functionality of the file /api/update_setup of the component API. The manipulation as part of a System Command leads to a improper resource locking vulnerability. Using CWE to declare the problem leads to CWE-413. The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. Impacted is confidentiality, integrity, and availability. CVE summarizes:
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.
The weakness was disclosed 01/27/2020. This vulnerability is handled as CVE-2019-17102 since 10/02/2019. The exploitation is known to be difficult. The attack can only be done within the local network. No form of authentication is required for exploitation. Technical details are known, but there is no available exploit.
Upgrading to version 2.0.1.91 eliminates this vulnerability.
Product
Vendor
Name
Version
- 2.0.1.0
- 2.0.1.1
- 2.0.1.2
- 2.0.1.3
- 2.0.1.4
- 2.0.1.5
- 2.0.1.6
- 2.0.1.7
- 2.0.1.8
- 2.0.1.9
- 2.0.1.10
- 2.0.1.11
- 2.0.1.12
- 2.0.1.13
- 2.0.1.14
- 2.0.1.15
- 2.0.1.16
- 2.0.1.17
- 2.0.1.18
- 2.0.1.19
- 2.0.1.20
- 2.0.1.21
- 2.0.1.22
- 2.0.1.23
- 2.0.1.24
- 2.0.1.25
- 2.0.1.26
- 2.0.1.27
- 2.0.1.28
- 2.0.1.29
- 2.0.1.30
- 2.0.1.31
- 2.0.1.32
- 2.0.1.33
- 2.0.1.34
- 2.0.1.35
- 2.0.1.36
- 2.0.1.37
- 2.0.1.38
- 2.0.1.39
- 2.0.1.40
- 2.0.1.41
- 2.0.1.42
- 2.0.1.43
- 2.0.1.44
- 2.0.1.45
- 2.0.1.46
- 2.0.1.47
- 2.0.1.48
- 2.0.1.49
- 2.0.1.50
- 2.0.1.51
- 2.0.1.52
- 2.0.1.53
- 2.0.1.54
- 2.0.1.55
- 2.0.1.56
- 2.0.1.57
- 2.0.1.58
- 2.0.1.59
- 2.0.1.60
- 2.0.1.61
- 2.0.1.62
- 2.0.1.63
- 2.0.1.64
- 2.0.1.65
- 2.0.1.66
- 2.0.1.67
- 2.0.1.68
- 2.0.1.69
- 2.0.1.70
- 2.0.1.71
- 2.0.1.72
- 2.0.1.73
- 2.0.1.74
- 2.0.1.75
- 2.0.1.76
- 2.0.1.77
- 2.0.1.78
- 2.0.1.79
- 2.0.1.80
- 2.0.1.81
- 2.0.1.82
- 2.0.1.83
- 2.0.1.84
- 2.0.1.85
- 2.0.1.86
- 2.0.1.87
- 2.0.1.88
- 2.0.1.89
- 2.0.1.90
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.5VulDB Meta Temp Score: 7.4
VulDB Base Score: 5.8
VulDB Temp Score: 5.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 8.3
NVD Vector: 🔍
CNA Base Score: 8.3
CNA Vector (Bitdefender): 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Improper resource lockingCWE: CWE-413 / CWE-404
ATT&CK: Unknown
Local: No
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: BOX 2 2.0.1.91
Timeline
10/02/2019 🔍01/27/2020 🔍
01/27/2020 🔍
03/26/2024 🔍
Sources
Advisory: bitdefender.comStatus: Not defined
CVE: CVE-2019-17102 (🔍)
Entry
Created: 01/27/2020 18:42Updated: 03/26/2024 14:09
Changes: 01/27/2020 18:42 (39), 01/27/2020 18:47 (11), 03/26/2024 14:07 (17), 03/26/2024 14:09 (19)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.