var-202001-0279
Vulnerability from variot

A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method /api/download_image unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. ____________

             From the low-hanging-fruit-department
       Bitdefender Generic Malformed Archive Bypass (BZ2)

Release mode : Forced Disclosure Ref : [TZO-04-2019] - Bitdefender Malformed Archive bypass (BZ2) Vendor : Bitdefender Status : Patched (amsiscan.dll >24.0.14.74) CVE : Issued 3 CVEs then pulled them back (although patching) Dislosure Policy: https://caravelahq.com/b/policy/20949 Blog : https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html Vendor Advisory : No Advisory issued Patch release : https://www.bitdefender.com/consumer/support/answer/10690/

Affected Products

All Bitdefender Products and Vendors that have licensed the Engine before Dec 12 2019. Exact version is unknown as Bitdefender has not made this public.

Quoting Bitdefender : "All Bitdefender endpoint solutions (including but not limited to Bitdefender Total Security, Bitdefender Antivirus Free Edition, Bitdefender GravityZone) as well as all products using our engines."

Consumer: Bitdefender Premium Security Bitdefender Total Security 2020 Bitdefender Internet Security 2020 Bitdefender Antivirus Plus 2020 Bitdefender Family Pack 2020 Bitdefender Antivirus for Mac Bitdefender Mobile Security for Android Bitdefender Mobile Security for iOS

Enterprise: Bitdefender Small Office Security GravityZone Business Security GravityZone Advanced Business Security Bitdefender Security for AWS GravityZone Ultra Security GravityZone Managed EDR GravityZone Elite Security GravityZone Enterprise Security Security for Virtualized Environments Security for Endpoints Security for Mobiles Security for Exchange GravityZone Security for Storage

Vulnerable OEM Partners (According to AV-TEST): Adaware Bullguard Vipr Total360 eScan emiSoft G-DATA Qihoo 360 Quick Heal TotalDefense Tencent

I. Background

"Since 2001, Bitdefender innovation has consistently delivered award-winning security products and threat intelligence for people, homes, businesses and their devices, networks and cloud services. Today, Bitdefender is also the provider of choice, used in over 38% of the world’s security solutions. Recognized by industry, respected by vendors and evangelized by our customers, Bitdefender is the cybersecurity company you can trust and rely on."

II. Description

The parsing engine supports the BZIP archive format. The parsing engine can be bypassed by specifically manipulating an BZIP Archive so that it can be accessed by an end-user but not the Anti-Virus software. The AV engine is unable to scan the archive and issues the file a "clean" rating.

I may release further details after all known vulnerable vendors have patched their products.

III. Impact

Impacts depends on the contextual use of the product and engine within the organisation of a customer. Gateway Products (Email, HTTP Proxy etc) may allow the file through unscanned and give it a clean bill of health. Server side AV software will not be able to discover any code or sample contained within this ISO file and it will not raise suspicion even if you know exactly what you are looking for (Which is for example great to hide your implants or Exfiltration/Pivot Server).

There is a lot more to be said about this bug class, so rather than bore you with it in this advisory I provide a link to my 2009 blog post http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html

IV. Patch / Advisory

If you are an enterprise customer I would suggest to reach out to Bitdefender to discuss how you can be notified about patched vulnerabilities within their products. Some releases may requires binary updates that cant be pulled from the auto-update.

amsiscan.dll >24.0.14.74

For Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get in contact to ensure these vulnerabilities are patched or not present in their offering. I would also suggest discussing how you can be made aware of future vulnerabilities.

V. Disclosure Timeline

See here : https://caravelahq.com/b/bitdefender/20876

18 OCT 2019 - Submission of a bypass over a bug bounty platform that requires submitters to agree to an NDA regardless of whether the vulnerability is recognised or not.

21 OCT 2019 - Bitdefender validated the report and assigned CVE-2019-17095

23 OCT 2019 "fix was also pushed via update. Can you please check?"

OCT 2019 - Back and forth on whether this qualifies for a bug bounty. Bitdefender rep states "In my opinion, we should. It's not an usual engine bypass "undetected sample". It's exploiting a vulnerability to bypass the engines which, I see as something different. Will provide an official answer in the following days."

  • I continue submitting more Bitdefender bypasses

28 OCT 2019 - Bitdefender states "We're doing a review of this vector as a whole and putting the unpackers temporarily out of scope until we're done"

05 NOV 2019 - Bitdefender changes its mind "As a rule of thumb, this form of AV bypass (corrupting archive headers) is not and will not be rewardable."

Discussion continue

26 NOV 2019 "Your reports are valid but they will not be treated as vulnerabilities or receive a generic fix at the moment (individual fixes may be implemented)."

"PS: given that we won't be treating these as vulnerabilities, we're pulling back the 3 CVEs that may have been issued a bit too rashly."

Editors Note: We qualified them as vulnerabilities and in scope of the bug bounty, now we changed our mind, they are valid yes, i.e they bypass the Engine, but they are not vulnerabilities.

At this point the Terms I agreed to when signing up to the bug bounty platform would prevent me from disclosing or getting any sort of credit.

Hence I decide to take my next report outside the platform and under my own terms that can be found here : https://caravelahq.com/b/policy/20949

OCT 30 2019 - Submitted new GZIP bypass report and sample over my ticketing system and under my terms, outside of the bug bounty platform.

OCT 31 2019 - Bitdefender requests that I reupload the file as they accidently deleted it

NOV 5 2019 - I continue to try to talk sense into this by sending a bunch of CVEs, reports, papers and presentations about this bug class. - I notify Bitdefender that "Also, I will stop reporting any further vulnerabilities to you under these condiions. I feel like you broke both contract and execution in good faith. When are you planning on notifying your customers?"

NOV 5 2019 Bitdefender : "While this may change in the future. we're treating these types of AV evasion techniques as "won't fix", for now."

NOV 14 2019 - Setting a temporary Disclosure data as per my Policy. - Asking to confirm the vulnerability or otherwise reply - No reply.

NOV 21 2019 - Notifying Bitdefender that that in alignement to my policy, .i.e having received no updates that I will disclose without further coordination.

NOV 26 2019 - Bitdefender issues a bounty for previous reports over the previously used bug bounty platform.

DEC 2 2019 - Asking a second time for an upate (Bz2). No reply.

DEC 6 2019 - Last attempt to contact them. Bz2) No reply.

DEC 12 2019 Bitdefender silently fixes the vuln. "I noticed today the 12/12/2020 that you have deployed a fix for this. Do you have any statement or comment on why you choose to silently fix and give no credit whatsoever ?"

DEC 12 2019 - Tweeted the Hash of the Report https://twitter.com/thierryzoller/status/1205115141832007680

DEC 13 2019 - Since I received no reply, I reached out to Bitdefender on an old thread on the previously used bug bounty platform. "Have you considered not paying a bounty but giving credit?" Bitdefender replies "This is literally the first time in 4 years of running the bug bounty program when we got "stuck" in a dispute of sorts with a researcher. I know what silent patching means and I'm fully aware (and against) this type of lack of transparency. And we also have a track record that shows we have absolutely no problem giving credit where credit was due. This is just a matter of you and us disagreeing on whether this is a vuln or not."

N.B They clearly classified it as a vulnerability weeks before, multiple times.

DEC 15 2019 - Reached out to Bitdefender again to ensure there is 0 excuse for miscommunication: "I'd like to make sure there are no misunderstandings if you recognize this bug class by either crediting or otherwise than I am happy to report any findings here, or outside. If you choose to continue to fix these silently and not even reply to my update requests I am not open in doing so. Let me know Bitdefenders' official position on this."

DEC 16 2019 - "You shall be credited in our hall of fame and I'll post about this on Twitter."

DEC 24 2019 - Release of this Advisory

Note: The lenght you need to go through in 2019 to report vulnerabilities is astounding, it is also astounting to see how bug bounty platforms have the potential to be used to silence reports and/or researchers. Their terms and usages, introduces a new element and dynamic in the researcher / vendor relationship. Is it about time to push an FD culture again ?

Show details on source website


{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202001-0279",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "box 2",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "bitdefender",
        "version": "2.1.53.45"
      },
      {
        "model": "box 2",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "bitdefender",
        "version": "2.1.47.42"
      },
      {
        "model": "box 2",
        "scope": "eq",
        "trust": 1.4,
        "vendor": "bitdefender",
        "version": null
      },
      {
        "model": "box 2",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "bitdefender",
        "version": "bitdefender box 2  firmware  2.1.47.42"
      },
      {
        "model": "box 2",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "bitdefender",
        "version": "bitdefender box 2  firmware  2.1.53.45"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Thierry Zoller",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "155849"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2019-17095",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2019-17095",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2019-17095",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "author": "cve-requests@bitdefender.com",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.4,
            "id": "CVE-2019-17095",
            "impactScore": 6.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 9.8,
            "baseSeverity": "Critical",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2019-17095",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2019-17095",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "cve-requests@bitdefender.com",
            "id": "CVE-2019-17095",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2019-17095",
            "trust": 0.8,
            "value": "Critical"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202001-137",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2019-17095",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability. ________________________________________________________________________\n\n                 From the low-hanging-fruit-department\n           Bitdefender Generic Malformed Archive Bypass (BZ2)\n________________________________________________________________________\n\nRelease mode : Forced Disclosure\nRef         : [TZO-04-2019] - Bitdefender Malformed Archive bypass (BZ2)\nVendor      : Bitdefender\nStatus      : Patched (amsiscan.dll \u003e24.0.14.74)\nCVE         : Issued 3 CVEs then pulled them back (although patching)\nDislosure Policy: https://caravelahq.com/b/policy/20949\nBlog            : \nhttps://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html\nVendor Advisory : No Advisory issued\nPatch release   : https://www.bitdefender.com/consumer/support/answer/10690/\n\n\nAffected Products\n=================\nAll Bitdefender Products and Vendors that have licensed the Engine \nbefore Dec 12 2019. Exact version is unknown as Bitdefender has not made \nthis public. \n\nQuoting Bitdefender :\n\"All Bitdefender endpoint solutions (including but not limited to \nBitdefender Total Security, Bitdefender Antivirus Free Edition, \nBitdefender GravityZone) as well as all products using our engines.\"\n\nConsumer:\nBitdefender Premium Security\nBitdefender Total Security 2020\nBitdefender Internet Security 2020\nBitdefender Antivirus Plus 2020\nBitdefender Family Pack 2020\nBitdefender Antivirus for Mac\nBitdefender Mobile Security for Android\nBitdefender Mobile Security for iOS\n\nEnterprise:\nBitdefender Small Office Security\nGravityZone Business Security\nGravityZone Advanced Business Security\nBitdefender Security for AWS\nGravityZone Ultra Security\nGravityZone Managed EDR\nGravityZone Elite Security\nGravityZone Enterprise Security\nSecurity for Virtualized Environments\nSecurity for Endpoints\nSecurity for Mobiles\nSecurity for Exchange\nGravityZone Security for Storage\n\nVulnerable OEM Partners (According to AV-TEST):\nAdaware\nBullguard\nVipr\nTotal360\neScan\nemiSoft\nG-DATA\nQihoo 360\nQuick Heal\nTotalDefense\nTencent\n\nI. Background\n=================\n\"Since 2001, Bitdefender innovation has consistently delivered \naward-winning security products and threat intelligence for people, \nhomes, businesses and their devices, networks and cloud services. Today, \nBitdefender is also the provider of choice, used in over 38% of the \nworld\u2019s security solutions. \nRecognized by industry, respected by vendors and evangelized by our \ncustomers, Bitdefender is  the cybersecurity company you can trust and \nrely on.\"\n\nII. Description\n=================\nThe parsing engine supports the BZIP archive format. The parsing engine \ncan be bypassed by specifically manipulating an BZIP  Archive so that it \ncan be accessed by an end-user  but not the Anti-Virus software. The AV \nengine is unable to scan the archive and issues the file a \"clean\" rating. \n\nI may release further details after all known vulnerable vendors have \npatched their products. \n\n\nIII. Impact\n=================\nImpacts depends on the contextual use of the product and engine within \nthe organisation of a customer. Gateway Products (Email, HTTP Proxy etc) \nmay allow the file through unscanned and give it a clean bill of health. \nServer side AV software will not be able to discover  any code or sample \ncontained within this ISO file and it will not raise suspicion even  if \nyou know exactly what you are looking for (Which is for example great to \nhide your implants or Exfiltration/Pivot Server). \n\nThere is a lot more to be said about this bug class, so rather than bore \nyou with it in this advisory I provide a link to my 2009 blog post\nhttp://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html\n\nIV. Patch / Advisory\n=================\nIf you are an enterprise customer I would suggest to reach out to \nBitdefender to discuss how you can be notified about patched \nvulnerabilities within their products. Some releases may requires binary \nupdates that cant be pulled from the auto-update. \n\namsiscan.dll \u003e24.0.14.74\n\nFor Users of the OEM Partners (G-Data, Vipr, etc) I would suggest to get \nin contact to ensure these vulnerabilities are patched or not present in \ntheir offering. I would also suggest discussing how you can be made \naware of future vulnerabilities. \n\nV. Disclosure Timeline\n======================\nSee here : https://caravelahq.com/b/bitdefender/20876\n\n18 OCT 2019\n- Submission of a bypass over a bug bounty platform  that requires \nsubmitters to agree to an NDA regardless of whether the vulnerability is \nrecognised or not. \n\n21 OCT 2019\n- Bitdefender validated the report and assigned CVE-2019-17095\n\n23 OCT 2019\n\"fix was also pushed via update. Can you please check?\"\n\nOCT 2019\n- Back and forth on whether this qualifies for a bug bounty. Bitdefender \nrep states \"In my opinion, we should. It\u0027s not an usual engine bypass \n\"undetected sample\". It\u0027s exploiting a vulnerability to bypass the \nengines which, I see as something different. Will provide an official \nanswer in the following days.\"\n\n- I continue submitting more Bitdefender bypasses\n\n28 OCT 2019\n- Bitdefender states \"We\u0027re doing a review of this vector as a whole and \nputting the unpackers\ntemporarily out of scope until we\u0027re done\"\n\n05 NOV 2019\n- Bitdefender changes its mind \"As a rule of thumb, this form of AV \nbypass (corrupting archive headers)\nis not and will not be rewardable.\"\n\nDiscussion continue\n\n26 NOV 2019\n\"Your reports are valid but they will not be treated as vulnerabilities \nor receive a generic fix at the moment (individual fixes may be \nimplemented).\"\n\n\"PS: given that we won\u0027t be treating these as vulnerabilities, we\u0027re \npulling back the 3 CVEs  that may have been issued a bit too rashly.\"\n\nEditors Note: We qualified them as vulnerabilities and in scope of the \nbug bounty, now we changed our mind,\nthey are valid yes, i.e they bypass the Engine, but they are not \nvulnerabilities. \n\nAt this point the Terms I agreed to when signing up to the bug bounty \nplatform would prevent me from disclosing or getting any sort of credit. \n\nHence I decide to take my next report outside the platform and under my \nown terms that can be found here :\nhttps://caravelahq.com/b/policy/20949\n\nOCT 30 2019\n- Submitted new GZIP bypass report and sample over my ticketing system \nand under my terms,\noutside of the bug bounty platform. \n\nOCT 31 2019\n- Bitdefender requests that I reupload the file as they accidently \ndeleted it\n\nNOV 5 2019\n- I continue to try to talk sense into this by sending a bunch of CVEs, \nreports, papers and presentations about this bug class. \n- I notify Bitdefender that \"Also, I will stop reporting any further \nvulnerabilities to you under these condiions. I feel like you broke both \ncontract and execution in good faith. When are you planning on notifying \nyour customers?\"\n\nNOV 5 2019\nBitdefender : \"While this may change in the future. we\u0027re treating these \ntypes of AV evasion techniques as \"won\u0027t fix\", for now.\"\n\nNOV 14 2019\n- Setting a temporary Disclosure data as per my Policy. \n- Asking to confirm the vulnerability or otherwise reply -  No reply. \n\nNOV 21 2019\n- Notifying Bitdefender that that in alignement to my policy, .i.e \nhaving received no updates that I will disclose without further \ncoordination. \n\nNOV 26 2019\n- Bitdefender issues a bounty for previous reports over the previously \nused bug bounty platform. \n\nDEC 2 2019\n- Asking a second time for an upate (Bz2). No reply. \n\nDEC 6 2019\n- Last attempt to contact them. Bz2) No reply. \n\nDEC 12 2019\nBitdefender silently fixes the vuln. \n\"I noticed today the 12/12/2020 that you have deployed a fix for this. \nDo you have any statement or comment\non why you choose to silently fix and give no credit whatsoever ?\"\n\nDEC 12 2019\n- Tweeted the Hash of the Report\nhttps://twitter.com/thierryzoller/status/1205115141832007680\n\nDEC 13 2019\n- Since I received no reply, I reached out to Bitdefender on an old \nthread on the previously used bug bounty platform. \n\"Have you considered not paying a bounty but giving credit?\"\nBitdefender replies \"This is literally the first time in 4 years of \nrunning the bug bounty program when we got \"stuck\" in a dispute of sorts \nwith a researcher. I know what silent patching means and I\u0027m fully aware \n(and against) this type  of lack of transparency. And we also have a \ntrack record that shows we have absolutely no problem giving credit \nwhere credit was due. This is just a matter of you and us disagreeing on \nwhether this is a vuln or not.\"\n\nN.B They clearly classified it as a vulnerability weeks before, multiple \ntimes. \n\nDEC 15 2019\n- Reached out to Bitdefender again to ensure there is 0 excuse for \nmiscommunication:\n\"I\u0027d like to make sure there are no misunderstandings if you recognize \nthis bug class by either crediting or otherwise than I am happy to \nreport any findings here, or outside. If you choose to  continue to fix \nthese silently and not even reply to my update requests I am not open in \ndoing so. Let me know Bitdefenders\u0027 official position on this.\"\n\nDEC 16 2019\n- \"You shall be credited in our hall of fame and I\u0027ll post about this on \nTwitter.\"\n\nDEC 24 2019\n- Release of this Advisory\n\n\nNote: The lenght you need to go through in 2019 to report \nvulnerabilities is astounding, it is also astounting to see how bug \nbounty platforms have the potential to be used to silence reports and/or \nresearchers. Their terms and usages, introduces a new element and \ndynamic in the researcher / vendor relationship. Is it about time to \npush  an FD culture again ?\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "db": "PACKETSTORM",
        "id": "155849"
      }
    ],
    "trust": 1.8
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2019-17095",
        "trust": 2.6
      },
      {
        "db": "TALOS",
        "id": "TALOS-2019-0919",
        "trust": 2.5
      },
      {
        "db": "CS-HELP",
        "id": "SB2020012215",
        "trust": 1.6
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "155849",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137",
        "trust": 0.6
      },
      {
        "db": "MCAFEE",
        "id": "SB20200",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2019-17095",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "PACKETSTORM",
        "id": "155849"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "id": "VAR-202001-0279",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.35
  },
  "last_update_date": "2024-11-23T22:05:51.116000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Top\u00a0Page",
        "trust": 0.8,
        "url": "https://www.bitdefender.com/"
      },
      {
        "title": "Bitdefender BOX Fixes for operating system command injection vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=109190"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.0
      },
      {
        "problemtype": "OS Command injection (CWE-78) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://talosintelligence.com/vulnerability_reports/talos-2019-0919"
      },
      {
        "trust": 1.7,
        "url": "https://www.bitdefender.com/support/security-advisories/command-injection-vulnerability-in-bitdefender-box-v2-va-5706"
      },
      {
        "trust": 1.7,
        "url": "https://www.cybersecurity-help.cz/vdb/sb2020012215?affchecked=1"
      },
      {
        "trust": 1.5,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17095"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/155849/bitdefender-malformed-archive-bypass.html"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "http://seclists.org/fulldisclosure/2020/jan/14"
      },
      {
        "trust": 0.1,
        "url": "http://blog.zoller.lu/2009/04/case-for-av-bypassesevasions.html"
      },
      {
        "trust": 0.1,
        "url": "https://caravelahq.com/b/bitdefender/20876"
      },
      {
        "trust": 0.1,
        "url": "https://blog.zoller.lu/p/tzo-04-2019-bitdefender-malformed.html"
      },
      {
        "trust": 0.1,
        "url": "https://caravelahq.com/b/policy/20949"
      },
      {
        "trust": 0.1,
        "url": "https://www.bitdefender.com/consumer/support/answer/10690/"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/thierryzoller/status/1205115141832007680"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "PACKETSTORM",
        "id": "155849"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "db": "PACKETSTORM",
        "id": "155849"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-01-27T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "date": "2020-02-14T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "date": "2020-01-06T17:08:00",
        "db": "PACKETSTORM",
        "id": "155849"
      },
      {
        "date": "2020-01-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "date": "2020-01-27T18:15:12.493000",
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-02-01T00:00:00",
        "db": "VULMON",
        "id": "CVE-2019-17095"
      },
      {
        "date": "2020-02-14T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      },
      {
        "date": "2020-02-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      },
      {
        "date": "2024-11-21T04:31:40.967000",
        "db": "NVD",
        "id": "CVE-2019-17095"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Bitdefender\u00a0BOX\u00a02\u00a0 In \u00a0OS\u00a0 Command injection vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2019-014398"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "operating system commend injection",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202001-137"
      }
    ],
    "trust": 0.6
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…