CVE-2021-3554

Improper Access Control vulnerability in the patchesUpdate API

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.

Una vulnerabilidad de control de acceso inadecuado en la API patchesUpdate, tal y como se implementa en Bitdefender Endpoint Security Tools for Linux como rol de retransmisión, permite a un atacante manipular la dirección remota usada para extraer parches. Este problema afecta a: Las versiones de Bitdefender Endpoint Security Tools for Linux anteriores a 6.6.27.390; las versiones anteriores a la 7.1.2.33. Las versiones de Bitdefender Unified Endpoint anteriores a 6.2.21.160. Versiones de Bitdefender GravityZone anteriores a 6.24.1-1

*Credits: Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-17 CVE Reserved
2021-11-24 CVE Published
2024-02-19 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control

CAPEC

References (1)

URL	Tag	Source
https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825	Broken Link

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bitdefender Search vendor "Bitdefender"		Endpoint Security Tools Search vendor "Bitdefender" for product "Endpoint Security Tools"				< 6.6.27.390 Search vendor "Bitdefender" for product "Endpoint Security Tools" and version " < 6.6.27.390"		-		Affected
Bitdefender Search vendor "Bitdefender"		Endpoint Security Tools Search vendor "Bitdefender" for product "Endpoint Security Tools"				< 6.6.27.390 Search vendor "Bitdefender" for product "Endpoint Security Tools" and version " < 6.6.27.390"		linux		Affected
Bitdefender Search vendor "Bitdefender"		Endpoint Security Tools Search vendor "Bitdefender" for product "Endpoint Security Tools"				>= 7.0.0.00 < 7.1.2.33 Search vendor "Bitdefender" for product "Endpoint Security Tools" and version " >= 7.0.0.00 < 7.1.2.33"		-		Affected
Bitdefender Search vendor "Bitdefender"		Gravityzone Search vendor "Bitdefender" for product "Gravityzone"				< 6.24.1-1 Search vendor "Bitdefender" for product "Gravityzone" and version " < 6.24.1-1"		-		Affected
Bitdefender Search vendor "Bitdefender"		Gravityzone Search vendor "Bitdefender" for product "Gravityzone"				6.24.1-1 Search vendor "Bitdefender" for product "Gravityzone" and version "6.24.1-1"		-		Affected