Bitdefender BOX 2 versions 18.104.22.168 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) Vulnerability
A command injection vulnerability has been discovered in the bootstrap stage of Bitdefender BOX 2, versions 22.214.171.124 and 126.96.36.199.
The information has been provided by Claudio Bozzato
The original article can be found at:https://talosintelligence.com/vulnerability_reports/TALOS-2019-0919
The API method `/api/download_image` unsafely handles the production firmware URL supplied by remote servers, leading to arbitrary execution of system commands. In order to exploit the condition, an unauthenticated attacker should impersonate a infrastructure server to trigger this vulnerability.
Bitdefender BOX 2 versions 188.8.131.52
Bitdefender BOX 2 versions 184.108.40.206