ResearchVulnerability in Bitdefender

Vulnerability in Bitdefender

Bitdefender produces different antivirus products. The privilege escalation vulnerability existed in Bitdefender Total Security, Internet Security, Antivirus Plus and Antivirus Free.

CVE-2023-6154 - Local privilege escalation vulnerability in Bitdefender
The fixed vulnerability allowed an attacker to escalate his privileges to SYSTEM on a system that the attacker already had access to.

This was possible by using COM-Hijacking to execute code in the context of a trusted front-end process. The trust between the front end and the back end was then abused to write registry values as SYSTEM, allowing an attacker to execute code as SYSTEM.

We want to thank Bitdefender for their exemplary reaction to the vulnerability report.

CVSS-Score
7.8 (CVSS v3) - https://nvd.nist.gov/vuln/detail/CVE-2023-6154

Affected Versions
Total Security: 27.0.25.114; Internet Security: 27.0.25.114; Antivirus Plus: 27.0.25.114; Antivirus Free: 27.0.25.114.

Fixed Version
27.0.25.115

References

www.bitdefender.com/support/security-advisories/local-privilege-escalation-in-bitdefender-total-security-va-11168/ 

Credits: Kolja Grassmann (cirosec GmbH) and Alain Rödel (Neodyme)

Timeline
October 19, 2023: Manufacturer was contacted and informed about the vulnerability
October 19, 2023: Initial response from manufacturer
November 15, 2023: Manufacturer informed us that the issue was resolved and updates are being rolled out
April 1, 2024: Manufacturer published advisory