CVE-2021-3554 - OpenCVE

Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Bitdefender	Endpoint Security Tools Gravityzone

Configuration 1 [-]

OR	cpe:2.3:a:bitdefender:endpoint_security_tools::::::::
	cpe:2.3:a:bitdefender:endpoint_security_tools::::::linux::*
	cpe:2.3:a:bitdefender:endpoint_security_tools::::::::
	cpe:2.3:a:bitdefender:gravityzone::::::::
	cpe:2.3:a:bitdefender:gravityzone:6.24.1-1:::::::*

No data.

References

Link	Providers
https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825

History

No history.

MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2021-11-24T14:45:12.904727Z

Updated: 2024-09-16T20:03:20.270Z

Reserved: 2021-05-17T00:00:00

Link: CVE-2021-3554

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-24T16:15:13.797

Modified: 2022-04-25T18:08:39.420

Link: CVE-2021-3554

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Endpoint Security Tools for Linux", "vendor": "Bitdefender", "versions": [{"lessThan": "6.6.27.390", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "7.1.2.33", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Unified Endpoint", "vendor": "Bitdefender", "versions": [{"lessThan": "6.2.21.160", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "GravityZone", "vendor": "Bitdefender", "versions": [{"lessThan": "6.24.1-1", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"}], "datePublic": "2021-06-05T00:00:00", "descriptions": [{"lang": "en", "value": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-24T14:45:12", "orgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "shortName": "Bitdefender"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"}], "source": {"advisory": "VA-9825", "discovery": "EXTERNAL"}, "title": "Improper Access Control vulnerability in the patchesUpdate API", "workarounds": [{"lang": "en", "value": "An automatic update to version 6.6.27.390 fixes the issue."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-requests@bitdefender.com", "DATE_PUBLIC": "2021-06-05T09:00:00.000Z", "ID": "CVE-2021-3554", "STATE": "PUBLIC", "TITLE": "Improper Access Control vulnerability in the patchesUpdate API"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Endpoint Security Tools for Linux", "version": {"version_data": [{"version_affected": "<", "version_value": "6.6.27.390"}, {"version_affected": "<", "version_value": "7.1.2.33"}]}}, {"product_name": "Unified Endpoint", "version": {"version_data": [{"version_affected": "<", "version_value": "6.2.21.160"}]}}, {"product_name": "GravityZone", "version": {"version_data": [{"version_affected": "<", "version_value": "6.24.1-1"}]}}]}, "vendor_name": "Bitdefender"}]}}, "credit": [{"lang": "eng", "value": "Nicolas VERDIER, Cybersecurity Consultant at TEHTRIS"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825", "refsource": "MISC", "url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"}]}, "source": {"advisory": "VA-9825", "discovery": "EXTERNAL"}, "work_around": [{"lang": "en", "value": "An automatic update to version 6.6.27.390 fixes the issue."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:01:07.935Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"}]}]}, "cveMetadata": {"assignerOrgId": "b3d5ebe7-963e-41fb-98e1-2edaeabb8f82", "assignerShortName": "Bitdefender", "cveId": "CVE-2021-3554", "datePublished": "2021-11-24T14:45:12.904727Z", "dateReserved": "2021-05-17T00:00:00", "dateUpdated": "2024-09-16T20:03:20.270Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bitdefender:endpoint_security_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BF95C9E-3696-4495-B347-068F6888DDE8", "versionEndExcluding": "6.6.27.390", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitdefender:endpoint_security_tools:*:*:*:*:*:linux:*:*", "matchCriteriaId": "2EB311C9-8B4E-4D11-8FFF-E4E14DAE686E", "versionEndExcluding": "6.6.27.390", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitdefender:endpoint_security_tools:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1087345-C896-4934-A019-552B2B9F303F", "versionEndExcluding": "7.1.2.33", "versionStartIncluding": "7.0.0.00", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitdefender:gravityzone:*:*:*:*:*:*:*:*", "matchCriteriaId": "01F7A9DD-2F78-47D2-B9FD-83D12C755798", "versionEndExcluding": "6.24.1-1", "vulnerable": true}, {"criteria": "cpe:2.3:a:bitdefender:gravityzone:6.24.1-1:*:*:*:*:*:*:*", "matchCriteriaId": "7D891393-9AC4-434F-B1D1-2D1B2FA7C0C9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1."}, {"lang": "es", "value": "Una vulnerabilidad de control de acceso inadecuado en la API patchesUpdate, tal y como se implementa en Bitdefender Endpoint Security Tools for Linux como rol de retransmisi\u00f3n, permite a un atacante manipular la direcci\u00f3n remota usada para extraer parches. Este problema afecta a: Las versiones de Bitdefender Endpoint Security Tools for Linux anteriores a 6.6.27.390; las versiones anteriores a la 7.1.2.33. Las versiones de Bitdefender Unified Endpoint anteriores a 6.2.21.160. Versiones de Bitdefender GravityZone anteriores a 6.24.1-1"}], "id": "CVE-2021-3554", "lastModified": "2022-04-25T18:08:39.420", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 6.0, "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}, "published": "2021-11-24T16:15:13.797", "references": [{"source": "cve-requests@bitdefender.com", "tags": ["Broken Link"], "url": "https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825"}], "sourceIdentifier": "cve-requests@bitdefender.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "cve-requests@bitdefender.com", "type": "Secondary"}]}