October 2024 - Bitdefender Vulnerabilities
CVE-2023-49570: Insecure HTTPS Scanning in Bitdefender Total Security
A vulnerability was discovered in the HTTPS scanning function of Bitdefender Total Security, causing it to trust certificates from unauthorized certificate authorities. This flaw leads the software to trust certificates even when the "End Entity" is specified in the "Basic Constraints" extension. This vulnerability could allow an attacker to conduct a Man-in-the-Middle (MITM) attack, intercepting and altering communication between the user and the website.
- Release Date: October 18, 2024
- CVSS Score: 7.4 HIGH
- Features: Insecure certificate validation, potentially compromising user data.
CVE-2023-6058: Security Vulnerability in HTTPS Connections in Bitdefender Safepay
A security vulnerability was identified in how Bitdefender Safepay handles HTTPS connections. When the software blocks a connection due to an untrusted server certificate, it allows the user to add the site to an exceptions list. This feature could enable an attacker to perform a MITM attack using a self-signed certificate, as sites added to the exceptions list are considered trusted in subsequent HTTPS scans.
- Release Date: October 18, 2024
- CVSS Score: 6.8 MEDIUM
- Features: Exception list feature, risking sensitive communications being intercepted.
CVE-2023-6057: Insecure Trust in DSA Certificates in Bitdefender Total Security
A vulnerability was found in the HTTPS scanning function of Bitdefender Total Security, where it insecurely trusts certificates signed using the DSA algorithm. Due to improper certificate chain validation, an attacker could use a DSA-signed certificate to set up MITM SSL connections to arbitrary sites.
- Release Date: October 18, 2024
- CVSS Score: 7.4 HIGH
- Features: Incorrect certificate validation, compromising secure connections.
CVE-2023-6056: Trust Vulnerability in Self-Signed Certificates in Bitdefender Total Security
Bitdefender Total Security trusts certificates signed with the RIPEMD-160 hashing algorithm without proper validation. This vulnerability enables attackers to establish MITM SSL connections to arbitrary sites using a self-signed certificate.
- Release Date: October 18, 2024
- CVSS Score: 7.4 HIGH
- Features: Trust in self-signed certificates, significantly weakening connection security.
CVE-2023-6055: Server Authentication Vulnerability in Bitdefender Total Security
Bitdefender Total Security has deficiencies in verifying certificates in its HTTPS scanning function. Specifically, if a site certificate does not include the "Server Authentication" attribute, the software may accept it without validation. This flaw allows an attacker to intercept communication between the user and the website, enabling MITM attacks.
- Release Date: October 18, 2024
- CVSS Score: 7.4 HIGH
- Features: Lack of validation, potentially allowing user data manipulation.
CVE-2023-49567: Insecure Trust in MD5 and SHA1 Certificates in Bitdefender Total Security
Bitdefender Total Security trusts certificates signed with the collision-prone MD5 and SHA1 hash functions. This vulnerability could enable attackers to create forged certificates and set up MITM SSL connections. The software trusts these certificates, allowing secure connections to fraudulent sites.
- Release Date: October 18, 2024
- CVSS Score: 6.8 MEDIUM
- Features: Trust in weak hashing algorithms, potentially redirecting users to fraudulent sites.