Serious Remote Code Execution Flaw Found In Bitdefender Total Security 2020

A serious security flaw existed in the Bitdefender Total Security 2020 software. As discovered by the researcher, this vulnerability could allow remote code execution to an attacker upon exploitation.

Bitdefender Total Security 2020 Flaw

Reportedly, a security researcher Wladimir Palant found a high-severity flaw in Bitdefender Total Security 2020 solution.

Sharing the details in a post, the researcher revealed that the flaw affected the SafePay browser component of the software. Bitdefender’s SafePay browser is a dedicated feature to ensure secure online banking.

Briefly, the researcher caught numerous small vulnerabilities that could together lead to devastating results.

As a standard, Bitdefender used to display custom error pages while inspecting HTTPS connections instead of leaving it to the browser. This, in turn, allowed websites to read security tokens from these pages, which an adversary could potentially exploit.

As stated in the post,

These security tokens cannot be used to override errors on other websites, but they can be used to start a session with the Chromium-based Safepay browser. This API was never meant to accept untrusted data, so… command line flags can be injected, which in the worst case results in arbitrary applications starting up.

Bitdefender Patched The Vulnerability

The researcher Palant, after discovering this flaw, reported the matter to Bitdefender via their bug bounty program. Bitdefender also acknowledged the flaw that received the CVE ID CVE-2020-8102, and a severity score of 8.8.

Later, Bitdefender patched the flaw in Bitdefender Total Security 2020 with the release of version 24.0.20.116.

Describing the details in an advisory, the vendors stated,

Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process.

Though, users don’t have to worry about this bug since the update will automatically reach their devices. However, they can always check their software manually for any updates as well.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients