A remote code execution vulnerability in Bitdefender, known as CVE-2020-8102 was discovered recently. More specifically, the vulnerability resided in the Safepay browser component in the security solution.
CVE-2020-8102: Technical Overview
Here’s the official description of CVE-2020-8102:
Improper Input Validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process. This issue affects Bitdefender Total Security 2020 versions prior to 220.127.116.11.
The vulnerability was disclosed by Wladimir Palant, the original developer of AdBlock Plus. The flaw stems from the way Bitdefender protects users from invalid certificates.
As part of its Online Protection functionality, Bitdefender Antivirus will inspect secure HTTPS connections. Rather than leaving error handling to the browser, Bitdefender for some reason prefers to display their own error pages. This is similar to how Kaspersky used to do it but without most of the adverse effects. The consequence is nevertheless that websites can read out some security tokens from these error pages, the researcher said in his report.
When presented with an invalid or expired SSL certificate, most browsers ask the user to accept the certificate with a warning. Bitdefender also acts in a similar way. If a user chooses to ignore the warning, known as HSTS (HTTP Strict Transport Security), this is generally not considered a security risk.
However, if the URL within the address bar remains constant, the security solution would be tricked into sharing security tokens between the suspicious page and all other sites hosted on the same server and running within Bitdefender’s Safepay virtual browsing environment. This issue has been previously seen in Kaspersky products. Here’s what the researcher says about this:
The URL in the browser’s address bar doesn’t change. So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out – an issue we’ve seen in Kaspersky products before.
There’s also proof-of-concept that demonstrates how the vulnerability works. For it, Palant used a local web server and initially a valid SSL which he changed with an invalid one shortly after the first.
Palant demonstrated this behavior via a PoC in which he had a locally running web server presenting a valid SSL certificate on the first request but switching to an invalid one right after.