PT-2021-20962 · Bitdefender · Bitdefender Gravityzone+2
Published
2021-11-24
·
Updated
2022-04-25
·
CVE-2021-3554
CVSS v3.1
10
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390
Bitdefender Endpoint Security Tools for Linux versions prior to 7.1.2.33
Bitdefender Unified Endpoint versions prior to 6.2.21.160
Bitdefender GravityZone versions prior to 6.24.1-1
Description:
The issue is related to an Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role. This allows an attacker to manipulate the remote address used for pulling patches.
Recommendations:
For Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390, update to version 6.6.27.390 or later.
For Bitdefender Endpoint Security Tools for Linux versions prior to 7.1.2.33, update to version 7.1.2.33 or later.
For Bitdefender Unified Endpoint versions prior to 6.2.21.160, update to version 6.2.21.160 or later.
For Bitdefender GravityZone versions prior to 6.24.1-1, update to version 6.24.1-1 or later.
As a temporary workaround, consider restricting access to the patchesUpdate API until a patch is available.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bitdefender Endpoint Security Tools For Linux
Bitdefender Gravityzone
Bitdefender Unified Endpoint