CVE-2021-3554
📋 TL;DR
This vulnerability allows attackers to manipulate the remote address used for pulling patches in Bitdefender's patchesUpdate API on Linux systems configured as relays. Attackers could redirect patch downloads to malicious servers, potentially delivering malware or compromising systems. Affected users include those running vulnerable versions of Bitdefender Endpoint Security Tools for Linux, Unified Endpoint, or GravityZone.
💻 Affected Systems
- Bitdefender Endpoint Security Tools for Linux
- Bitdefender Unified Endpoint
- Bitdefender GravityZone
📦 What is this software?
Gravityzone by Bitdefender
Gravityzone by Bitdefender
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect patch downloads to malicious servers, delivering malware to all endpoints managed through the compromised relay, leading to widespread system compromise and data exfiltration.
Likely Case
Attackers could redirect patch downloads to controlled servers, potentially delivering malware to managed endpoints or disrupting patch management operations.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the relay system itself, preventing lateral movement to managed endpoints.
🎯 Exploit Status
Exploitation requires access to the patchesUpdate API endpoint on the relay system. The vulnerability is in access control mechanisms, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Bitdefender Endpoint Security Tools for Linux: 6.6.27.390 or 7.1.2.33; Bitdefender Unified Endpoint: 6.2.21.160; Bitdefender GravityZone: 6.24.1-1
Vendor Advisory: https://www.bitdefender.com/support/security-advisories/improper-access-control-vulnerability-patchesupdate-api-va-9825
Restart Required: Yes
Instructions:
1. Identify affected systems using version check commands. 2. Download and install the appropriate patched version from Bitdefender's official channels. 3. Restart the Bitdefender services or the entire system as required. 4. Verify the patch is applied correctly.
🔧 Temporary Workarounds
Disable relay functionality
linuxTemporarily disable the relay role functionality if not essential for operations
sudo systemctl stop bitdefender-relay
sudo systemctl disable bitdefender-relay
Restrict API access
linuxImplement network-level restrictions to limit access to the patchesUpdate API endpoint
sudo iptables -A INPUT -p tcp --dport [API_PORT] -s [TRUSTED_IP] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [API_PORT] -j DROP
🧯 If You Can't Patch
- Isolate relay systems in a dedicated network segment with strict inbound/outbound firewall rules
- Implement application-level monitoring for unusual patch download activities or source changes
🔍 How to Verify
Check if Vulnerable:
Check the installed Bitdefender version and compare against vulnerable versions listed in the advisoryCheck Version:
bdscan --version or check the Bitdefender management console for version informationVerify Fix Applied:
Verify the installed version matches or exceeds the patched versions specified in the advisory📡 Detection & Monitoring
Log Indicators:
- Unusual patch download sources in Bitdefender logs
- API access logs showing unauthorized access to patchesUpdate endpoint
- Failed authentication attempts to management interfaces
Network Indicators:
- Unexpected outbound connections from relay systems to non-Bitdefender patch servers
- Unusual traffic patterns to/from the patchesUpdate API port
SIEM Query:
source="bitdefender" AND (event_type="patch_download" AND src_ip NOT IN ["trusted_bitdefender_servers"]) OR (api_endpoint="/patchesUpdate" AND auth_status="failed")