Multiple critical vulnerabilities in Bitdefender GravityZone

SEC Consult Vulnerability Lab Security Advisory < 20140716-3 >

=======================================================================

title: Multiple critical vulnerabilities

product: Bitdefender GravityZone

vulnerable version: <5.1.11.432

fixed version: >=5.1.11.432

impact: critical

homepage: www.bitdefender.com

found: 2014-05-22

by: Stefan Viehböck

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

Bitdefender GravityZone lets enterprises control and protect the heterogeneous

environments of today. The solution combines highly optimized virtualization

aware security with leading detection technologies and a fresh, but proven,

architecture. It empowers administrators with features adapted to reduce the

daily security hassle and eliminate the need for point solutions with unified

protection across virtualized, physical, and mobile endpoints. Unlike other

solutions that bolt-on modules to an aging architecture, the GravityZone

Control Center dashboard has been designed specifically to unify monitoring

and security management in a single simple and accessible interface.

 

Source: download.bitdefender.com/resources/media/materials/business/en/datasheet-gravityzone-brief.pdf

 

 

Business recommendation:

------------------------

Attackers are able to completely compromise the Bitdefender GravityZone

solution as they can gain system and database level access.

Furthermore attackers can manage all endpoints.

 

The Bitdefender GravityZone can be used as an entry point into the target

infrastructure (lateral movement, privilege escalation).

 

It is highly recommended by SEC Consult not to use this software until a

thorough security review has been performed by security professionals and all

identified issues have been resolved.

 

 

Vulnerability overview/description:

-----------------------------------

1) Unauthenticated local file disclosure (Web Console, Update Server)

Unauthenticated users can read arbitrary files from the filesystem with the

privileges of the "nginx" operating system user. These files include

configuration files containing sensitive information such as clear text

passwords which can be used in further attacks.

 

Separate vulnerabilities affecting both Web Console and Update Server were

found.

 

 

2) Insecure service configuration / design issues

The MongoDB database which is offered via the network by default (TCP ports

27017, 28017) can be accessed using hardcoded credentials which can't be

changed. The overall system design requires the database to be accessible via

the network.

All relevant GravityZone configuration data can be accessed and changed. This

includes the user table.

 

Excerpt from the documentation describing the TCP port 27017:

"Default port used by the Communication Server and Control Center to access

the Database."

 

 

3) Missing authentication

Authentication is not required for certain scripts in the web UI. This

allows unauthenticated attackers to execute administrative functions without

prior authentication.

 

 

Proof of concept:

-----------------

1) Unauthenticated local file disclosure (Web Console, Update Server)

Arbitrary files can be downloaded via a vulnerable script:

https:// <host>/webservice/CORE/downloadFullKitEpc/a/1?id=../../../../../etc/passwd

 

The Update Server is vulnerable to local file disclosure as well. Arbitrary

files can be downloaded using the following HTTP request:

 

GET /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd HTTP/1.1

Host: <host>:7074

 

2) Insecure service configuration / Design issues

Attackers can connect to MongoDB on TCP ports 27017 and 28017 using the

following hardcoded credentials:

Username: <removed>

Password: <removed>

 

Detailed proof of concept exploits have been removed for this vulnerability.

 

3) Missing authentication

Authentication is not required for the following script:

/webservice/CORE/downloadSignedCsr (Unauthenticated certificate upload)

 

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerabilities have been verified to exist in GravityZone 5.1.5.386,

which was the most recent version at the time of discovery.

 

 

 

Vendor contact timeline:

------------------------

2014-05-26: Sending responsible disclosure policy and requesting encryption

keys.

2014-05-26: Vendor responds providing encryption keys.

2014-05-26: Sending advisory and proof of concept exploit via encrypted

channel.

2014-05-26: Vendor confirms receipt.

2014-06-04: Requesting status update.

2014-06-14: Vendor provides status update. Update will be released "End of

June".

2014-06-26: Vendor provides status update. Update for issue #1 and #3 will

be released June 30. Update for issue #2 will be released at the

end of July.

2014-06-27: Requesting info about other affected products. Clarifying

disclosure of issue #2.

2014-07-09: Vendor confirms that update for issue #1 and #3 has been shipped

and KB article for issue #2 will be released.

2014-07-15: Requesting version numbers of affected products.

2014-07-16: SEC Consult releases coordinated security advisory.

 

 

 

Solution:

---------

Update to a more recent version of Bitdefender GravityZone _and_

implement mitigations for the issue #2.

 

More information can be found at:

www.bitdefender.com/support/how-to-configure-iptables-firewall-rules-on-gravityzone-for-restricting-outside-access-to-mongodatabase-1265.html

 

 

Workaround:

-----------

No workaround available.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

 

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius

 

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Stefan Viehböck / @2014