Vulnerability Allows Hackers To Completely Compromise Bitdefender GravityZone

Bitdefender GravityZone vulnerability

Bitdefender GravityZone is a highly-scalable and resilient security management solution spanning virtualized, physical and mobile endpoint protection. The vulnerability Found in Bitdefender GravityZone can allow an attacker to compromise the Bitdefender GravityZone, they can gain system and database level access and also attackers can manage all endpoints.

There is a huge chance that, Bitdefender GravityZone can be used as an entry point into the target infrastructure. Bitdefender was designed to empower administrators with features adapted to reduce the daily security hassle and eliminate the need for point solutions with unified protection across virtualized, physical, and mobile endpoints. Unlike other solutions that bolt-on modules to an aging architecture, the Gravity ZoneControl Center dashboard has been designed specifically to unify monitoring and security management in a single simple and accessible interface.
The vulnerable version is below can still use the fixed version and above.

Vulnerability Description:

1) Unauthenticated local file disclosure (Web Console, Update Server)

Unauthenticated users can read arbitrary files from the filesystem with the privileges of the "nginx" operating system user. These files include configuration files containing sensitive information such as clear text passwords which can be used in further attacks.

Separate vulnerabilities affecting both Web Console and Update Server were found.

Arbitrary files can be downloaded via a vulnerable script : https://<host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd

The update server is vulnerable to local file disclosure as well. Arbitrary files can be downloaded using the following HTTP request:

GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1

Host: <host>:7074

2) Insecure service configuration / design issues

The MongoDB database which is offered via the network by default (TCP ports 27017, 28017) can be accessed using hard coded credentials which can't be changed. The overall system design requires the database to be accessible via the network. All relevant GravityZone configuration data can be accessed and changed. This includes the user table.

Excerpt from the documentation describing the TCP port 27017 : "Default port used by the Communication Server and Control Center to access the Database."

Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the following hard coded credentials : Username: <removed> Password: <removed>

3) Missing authentication

Authentication is not required for certain scripts in the web UI. This allows unauthenticated attackers to execute administrative functions without prior authentication.

Authentication is not required for the following script : /webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)

Now at the time of writing this article, the Bitdefender team fixed some of the vulnerabilities.

No comments

Powered by Blogger.