CVE-2019-17102
27.01.2020, 14:15
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.
| Vendor | Product | Version |
|---|---|---|
| bitdefender | box_2_firmware | 𝑥 < 2.1.47.36 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-413 - Improper Resource LockingThe software does not lock or does not correctly lock a resource when the software must have exclusive access to the resource.
- CWE-367 - Time-of-check Time-of-use (TOCTOU) Race ConditionThe software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.