Folks running Bitdefender's Total Security 2020 package should check they have the latest version installed following the disclosure of a remote code execution bug.
Wladimir Palant, cofounder of Adblock-Plus-maker Eyeo, tipped off Bitdefender about the flaw, CVE-2020-8102, after discovering what he called "seemingly small weaknesses" that could be exploited by a hostile website to take control of a computer running Bitdefender's antivirus package. The bug, privately reported in April, was patched in May.
This week, Palant said the vulnerability stems from the way Bitdefender's code inspected HTTPS-encrypted connections for signs of malicious activity to block. To do this, the software examined webpages and other data once it was fetched over HTTPS and decrypted.
It's important to note that Bitdefender said the bug was within its Chromium-based "secure browser" SafePay, which is supposed to protect online payments from hackers and is part of its Total Security 2020 suite. Meanwhile, Palant said the vulnerability was within a component called Online Protection within that suite, meaning it could be exploited by any website opened in any browser on any computer running Bitdefender's vulnerable antivirus package.
At the heart of the matter is the way Bitdefender's code handles pages fetched via HTTPS.
"Occasionally their product will have to modify the server response, for example on search pages where they inject the script implementing the Safe Search functionality," Palant explained. "Here they unavoidably have to encrypt the modified server response with their own certificate."
This is where the software tripped up. When the antivirus suite wanted to flag up suspicious or broken HTTPS certificates, which are sometimes a sign shenanigans may be afoot, Bitdefender's code generated a custom error page that appeared as though it came from the requested website. It would do this by modifying the server response.
It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible
There was nothing to stop a web server with a bad certificate from requesting the contents of Bitdefender's custom error page, though, because as far as your browser is concerned, the error page came from the web server anyway.
Thus, a malicious web server could serve a page with a good certificate, and cause a new window to open with a page from the same domain and server albeit with an invalid certificate. Bitdefender's code would jump in, and replace the second webpage with a custom error page. The first page with the good certificate could then use XMLHttpRequest to fetch the contents of the error page, which your browser would hand over.
That error page contained the Bitdefender installation's session tokens, which could be used to send system commands to the security software suite on the user's PC to execute. Palant's proof-of-concept exploit worked against a Windows host, allowing a malicious page to install, say, spyware or ransomware on a victim's computer.
"The URL in the browser’s address bar doesn’t change," Palant explained. "So as far as the browser is concerned, this error page originated at the web server and there is no reason why other web pages from the same server shouldn’t be able to access it. Whatever security tokens are contained within it, websites can read them out.
"It’s generally preferable that antivirus vendors stay away from encrypted connections as much as possible. Messing with server responses tends to cause issues even when executed carefully, which is why I consider browser extensions the preferable way of implementing online protection. But even with their current approach, Bitdefender should really leave error handling to the browser."
Bitdefender said the update to fix the hole should be automatically applied.
"Improper input validation vulnerability in the Safepay browser component of Bitdefender Total Security 2020 allows an external, specially crafted web page to run remote commands inside the Safepay Utility process," the biz acknowledged. "This issue affects Bitdefender Total Security 2020 versions prior to 220.127.116.11." ®