BitDefender BOX 2 up to 2.0.1.90 API /api/update_setup System Command improper resource locking

Summaryinfo

A vulnerability categorized as critical has been discovered in BitDefender BOX 2 up to 2.0.1.90. Affected by this vulnerability is an unknown functionality of the file /api/update_setup of the component API. Such manipulation as part of System Command leads to improper resource locking. This vulnerability is uniquely identified as CVE-2019-17102. The attack can only be initiated within the local network. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability, which was classified as critical, has been found in BitDefender BOX 2 up to 2.0.1.90. Affected by this issue is an unknown functionality of the file /api/update_setup of the component API. The manipulation as part of a System Command leads to a improper resource locking vulnerability. Using CWE to declare the problem leads to CWE-413. The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource. Impacted is confidentiality, integrity, and availability. CVE summarizes:

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.

The weakness was disclosed 01/27/2020. This vulnerability is handled as CVE-2019-17102 since 10/02/2019. The exploitation is known to be difficult. The attack can only be done within the local network. No form of authentication is required for exploitation. Technical details are known, but there is no available exploit.

Upgrading to version 2.0.1.91 eliminates this vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• BitDefender

Name

• BOX 2

Version

• 2.0.1.0
• 2.0.1.1
• 2.0.1.2
• 2.0.1.3
• 2.0.1.4
• 2.0.1.5
• 2.0.1.6
• 2.0.1.7
• 2.0.1.8
• 2.0.1.9
• 2.0.1.10
• 2.0.1.11
• 2.0.1.12
• 2.0.1.13
• 2.0.1.14
• 2.0.1.15
• 2.0.1.16
• 2.0.1.17
• 2.0.1.18
• 2.0.1.19
• 2.0.1.20
• 2.0.1.21
• 2.0.1.22
• 2.0.1.23
• 2.0.1.24
• 2.0.1.25
• 2.0.1.26
• 2.0.1.27
• 2.0.1.28
• 2.0.1.29
• 2.0.1.30
• 2.0.1.31
• 2.0.1.32
• 2.0.1.33
• 2.0.1.34
• 2.0.1.35
• 2.0.1.36
• 2.0.1.37
• 2.0.1.38
• 2.0.1.39
• 2.0.1.40
• 2.0.1.41
• 2.0.1.42
• 2.0.1.43
• 2.0.1.44
• 2.0.1.45
• 2.0.1.46
• 2.0.1.47
• 2.0.1.48
• 2.0.1.49
• 2.0.1.50
• 2.0.1.51
• 2.0.1.52
• 2.0.1.53
• 2.0.1.54
• 2.0.1.55
• 2.0.1.56
• 2.0.1.57
• 2.0.1.58
• 2.0.1.59
• 2.0.1.60
• 2.0.1.61
• 2.0.1.62
• 2.0.1.63
• 2.0.1.64
• 2.0.1.65
• 2.0.1.66
• 2.0.1.67
• 2.0.1.68
• 2.0.1.69
• 2.0.1.70
• 2.0.1.71
• 2.0.1.72
• 2.0.1.73
• 2.0.1.74
• 2.0.1.75
• 2.0.1.76
• 2.0.1.77
• 2.0.1.78
• 2.0.1.79
• 2.0.1.80
• 2.0.1.81
• 2.0.1.82
• 2.0.1.83
• 2.0.1.84
• 2.0.1.85
• 2.0.1.86
• 2.0.1.87
• 2.0.1.88
• 2.0.1.89
• 2.0.1.90

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion