No user interaction was required to trigger the vulnerability
Bitdefender has resolved an arbitrary code execution flaw caused by how HTTPS connections were handled by the company’s antivirus software.
In a blog post on Monday (June 22), developer Wladimir Palant said the vulnerability impacts Bitdefender Total Security 2020.
It is always of note when vulnerabilities are found in cybersecurity products. However, no software is immune to bugs.
As noted by Palant, Bitdefender’s security flaw was created through a combination of “seemingly small weaknesses, each of them already familiar from other antivirus products”.
Bitdefender’s software includes real-time online antivirus protection. This includes the inspection and blocking of malicious websites and Safepay, a module which delegates online banking to a separate, contained browser environment for enhanced transaction security.
However, when Safepay and other online protection components collide, a security flaw emerged which could allow any website to remotely execute arbitrary code on a user’s system without any user interaction, regardless of browser.
Tracked as CVE-2020-8102 and issued a CVSS score of 8.8, the vulnerability is described as an improper validation flaw.
Rather than leaving error handling to browsers when inspecting HTTPS connections, Bitdefender Total Security uses an API designed for external applications to analyze, but not decrypt, browser data during online sessions.
The software will also alter server responses and show a custom error page if problems are found, which results in websites being able to read security tokens – and it is these tokens can be abused to open up a session within the Safepay browser, leading to an RCE.
“Messing with server responses tends to cause issues even when executed carefully, which is why I consider browser extensions the preferable way of implementing online protection,” Palant commented.
Palant disclosed his findings via the Bitdefender bug bounty program on April 14.
Bitdefender Total Security 2020 versions prior to 220.127.116.11 were impacted by the handling error, of which a patch was released on April 23, following triage and the assignment of a CVE number.
The vendor released a security advisory for customers on June 22. Versions 18.104.22.168 and above have resolved the issue.
Bitdefender offers a minimum reward of $100 for valid bug submissions, rising depending on the severity and nature of vulnerability reports. However, Palant declined a payout for his report.
“As a global cybersecurity company protecting more than 500 million devices worldwide, Bitdefender strongly advocates vulnerability research and responsible disclosure,” the company told The Daily Swig.
“Since the inception of our bug bounty program in 2015, we have collaborated with numerous third-party security researchers to identify vulnerabilities and make our products safer to use.
“Regarding this matter, we'd like to thank Mr Palant for bringing the vulnerability to our attention and allow us to fix the issue on time.”