Claudio Bozzato, Lilith Wyatt and Dave McDaniel of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.

The Bitdefender BOX 2 contains two remote code execution vulnerabilities in its bootstrap stage. The BOX 2 is a device that protects users’ home networks from a variety of threats, such as malware,

phishing IOCs and other forms of cyber attacks. It also allows the user to monitor specific devices on the network and limit their internet access. These vulnerabilities could allow an attacker to gain the ability to arbitrarily execute system commands.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Bitdefender to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details Bitdefender BOX 2 bootstrap download_image command injection vulnerability (TALOS-2019-0919/CVE-2019-CVE-2019-17095, CVE-2019-17096)

An exploitable command injection vulnerability exists in the bootstrap stage of Bitdefender BOX 2, versions 2.1.47.42 and 2.1.53.45. The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. An unauthenticated attacker should impersonate a remote nimbus server to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Bitdefender BOX 2 bootstrap update_setup command execution vulnerability (TALOS-2019-0918)

An exploitable command execution vulnerability exists in the recovery partition of Bitdefender BOX 2, version 2.0.1.91. The API method `/api/update_setup` does not perform firmware signature checks atomically, leading to an exploitable race condition (TOCTTOU) that allows arbitrary execution of system commands. To trigger this vulnerability, an unauthenticated attacker can send a series of HTTP requests to the device while in the bootstrap stage.

Read the complete vulnerability advisory here for additional information.

Versions tested Talos tested and confirmed that version 2.0.1.91 (in bootstrap mode), 2.1.47.42 and 2.1.53.45 (in production mode) of Bitdefender BOX 2 is affected by these vulnerabilities.

Coverage The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 51929, 51948