CVE-2019-17095

Name of the Vulnerable Software and Affected Versions Bitdefender BOX 2 versions 2.1.47.42 through 2.1.53.45

Description A command injection issue has been found in the bootstrap stage of the affected software. The /api/download image API method unsafely handles the production firmware URL supplied by remote servers, allowing for the arbitrary execution of system commands. An unauthenticated attacker can exploit this condition by impersonating an infrastructure server. The vulnerability can be exploited by sending a malicious full ws.tar.gz file from a smartphone application and creating a fake nimbus.bitdefender.net server, enabling the attacker to execute arbitrary commands on the target system.

Recommendations For versions 2.1.47.42 through 2.1.53.45, as a temporary workaround, consider restricting access to the /api/download image API endpoint until a patch is available. Additionally, avoid using the API method to handle URLs from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.