A local privilege escalation vulnerability in Bitdefender Total Security 27.0.46.231 allows low-privileged attackers to elevate privileges. The issue arises from bdservicehost.exe deleting files from a user-writable directory (C:ProgramDataAtcFeedback) without proper symbolic link validation, enabling arbitrary file deletion. This issue is chained with a file copy operation during network events and a filter driver bypass via DLL injection to achieve arbitrary file copy and code execution as elevated user.
Weakness
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Antivirus | Bitdefender | * | 30.0.25.77 (excluding) |
| Antivirus_plus | Bitdefender | * | 27.10.45.497 (excluding) |
| Endpoint_security_tools | Bitdefender | * | 7.9.20.515 (excluding) |
| Internet_security | Bitdefender | * | 27.10.45.497 (excluding) |
| Total_security | Bitdefender | * | 27.10.45.497 (excluding) |
Potential Mitigations
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/132.html
- https://cwe.mitre.org/data/definitions/17.html
- https://cwe.mitre.org/data/definitions/35.html
- https://cwe.mitre.org/data/definitions/76.html