A vulnerability has been identified in the Bitdefender Total Security HTTPS scanning functionality where the product incorrectly checks the site's certificate, which allows an attacker to make MITM SSL connections to an arbitrary site. The product trusts certificates that are issued using the MD5 and SHA1 collision hash functions which allow attackers to create rogue certificates that appear legitimate.
History

Tue, 22 Oct 2024 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


Fri, 18 Oct 2024 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Bitdefender
Bitdefender total Security
CPEs cpe:2.3:a:bitdefender:total_security:*:*:*:*:*:*:*:*
Vendors & Products Bitdefender
Bitdefender total Security
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 18 Oct 2024 08:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in the Bitdefender Total Security HTTPS scanning functionality where the product incorrectly checks the site's certificate, which allows an attacker to make MITM SSL connections to an arbitrary site. The product trusts certificates that are issued using the MD5 and SHA1 collision hash functions which allow attackers to create rogue certificates that appear legitimate.
Title Insecure Trust of certificates using collision hash functions in Bitdefender Total Security HTTPS Scanning (VA-11239)
Weaknesses CWE-295
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Bitdefender

Published: 2024-10-18T07:59:02.244Z

Updated: 2024-10-18T15:25:37.785Z

Reserved: 2023-11-27T14:21:51.156Z

Link: CVE-2023-49567

cve-icon Vulnrichment

Updated: 2024-10-18T15:25:33.461Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-18T08:15:03.143

Modified: 2024-10-22T16:39:16.370

Link: CVE-2023-49567

cve-icon Redhat

No data.