Exploitation for Priv-Esc × Bitdefender Endpoint Security for Linux 7.0.5.200089

A publicly-reported instance of Exploitation for Priv-Esc bypassing Bitdefender Endpoint Security for Linux 7.0.5.200089, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Bitdefender Endpoint Security for Linux 7.0.5.200089

Technique

Exploitation for Priv-Esc

MITRE ATT&CK

T1068

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-04-09

Config / version noted

Not stated

Provenance

www.sentinelone.com
disclosed 2024-04-09 · original source · via exa
www.bitdefender.com
disclosed 2024-04-09 · original source · via exa

Reported as

CVE-2024-2224 is a critical path traversal vulnerability in the UpdateServer component of Bitdefender GravityZone. It allows remote unauthenticated attackers to execute arbitrary code on affected endpoint security products.

Mechanism

Attackers send crafted HTTP requests containing path traversal sequences (e.g., '../') to the UpdateServer API. This bypasses directory restrictions, allowing writing of executable files to arbitrary locations (e.g., startup folders), leading to code execution with the privileges of the UpdateServer process.

Detection & mitigation

Monitor web server logs for HTTP requests to the UpdateServer API containing path traversal sequences (e.g., '../', '%2e%2e/') and unexpected file write operations in sensitive directories like startup folders. Apply the vendor patch immediately and restrict network access to the UpdateServer component to trusted management systems only.

Exploitation for Priv-Esc has also been recorded against

Apple Atlassian Broadcom (Symantec)Comodo Security ConnectWise CrowdStrike Elastic ESET F5 Fortinet Google HitmanPro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.