Login Sign Up

CVE-2023-49570

7.4 HIGH

📋 TL;DR

This vulnerability in Bitdefender Total Security's HTTPS scanning feature incorrectly trusts certificates that aren't authorized to issue certificates, even when marked as 'End Entity' in their Basic Constraints. This allows attackers to perform Man-in-the-Middle attacks, intercepting and potentially modifying encrypted web traffic. All users of affected Bitdefender Total Security versions with HTTPS scanning enabled are vulnerable.

💻 Affected Systems

Products:
  • Bitdefender Total Security
Versions: Versions prior to 27.0.30.146
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems with HTTPS scanning feature enabled (enabled by default).

📦 What is this software?

Total Security by Bitdefender

View all CVEs affecting Total Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can intercept and modify all HTTPS traffic, including banking sessions, login credentials, and sensitive data transfers, leading to complete account compromise and data theft.

🟠

Likely Case

Targeted MITM attacks against specific users to steal credentials or session tokens from commonly visited websites.

🟢

If Mitigated

Limited impact if HTTPS scanning is disabled or if users avoid untrusted networks and websites.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires attacker to be in a position to intercept network traffic (e.g., same network).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 27.0.30.146

Vendor Advisory: https://www.bitdefender.com/support/security-advisories/insecure-trust-of-basic-constraints-certificate-in-bitdefender-total-security-https-scanning-va-11210/

Restart Required: Yes

Instructions:

1. Open Bitdefender Total Security. 2. Click 'Update' in the main interface. 3. Allow the update to complete. 4. Restart your computer when prompted.

🔧 Temporary Workarounds

Disable HTTPS Scanning

windows

Temporarily disable the vulnerable HTTPS scanning feature until patching is possible.

Open Bitdefender → Protection → Online Threat Prevention → Disable 'Scan SSL'

🧯 If You Can't Patch

  • Disable HTTPS scanning feature in Bitdefender settings
  • Use VPN for all internet traffic to encrypt connections at network layer

🔍 How to Verify

Check if Vulnerable:

Check Bitdefender version in the application interface. If version is below 27.0.30.146 and HTTPS scanning is enabled, the system is vulnerable.

Check Version:

Not applicable - check version in Bitdefender GUI under 'About' section

Verify Fix Applied:

Verify Bitdefender version is 27.0.30.146 or higher in the application interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual certificate validation failures in Bitdefender logs
  • Multiple SSL/TLS connection resets

Network Indicators:

  • Unexpected certificate authorities in HTTPS connections
  • SSL/TLS handshake anomalies

SIEM Query:

Not applicable - primarily client-side vulnerability

📊 Metadata

CVE ID: CVE-2023-49570
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-295
Published: October 18, 2024
Last Updated: October 22, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49570, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)