Vulnerability Details : CVE-2019-17102
An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. This issue affects: Bitdefender Bitdefender BOX 2 versions prior to 2.1.47.36.
Products affected by CVE-2019-17102
- cpe:2.3:o:bitdefender:box_2_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-17102
0.34%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-17102
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST | |
|
8.3
|
HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |
1.6
|
6.0
|
Bitdefender | |
|
8.1
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2019-17102
-
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.Assigned by: nvd@nist.gov (Primary)
-
The product does not lock or does not correctly lock a resource when the product must have exclusive access to the resource.Assigned by: cve-requests@bitdefender.com (Secondary)
References for CVE-2019-17102
-
https://www.bitdefender.com/support/security-advisories/bitdefender-box-v2-bootstrap-update_setup-command-execution-vulnerability-va-2226
Bitdefender BOX v2 bootstrap update_setup command execution vulnerability (VA-2226) - BitdefenderVendor Advisory
Jump to