CVE-2017-6186

moderate-risk
Published 2017-03-21

Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack.

Do I need to act?

-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.7/10 Medium
LOCAL / LOW complexity

Affected Products (3)

Antivirus Plus
Internet Security

Affected Vendors

Bitdefender

References (6)

Third Party Advisory http://cybellum.com/doubleagent-taking-full-control-antivirus/
Technical Description http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique...
Third Party Advisory http://www.securityfocus.com/bid/97024
Third Party Advisory http://cybellum.com/doubleagent-taking-full-control-antivirus/
Technical Description http://cybellum.com/doubleagentzero-day-code-injection-and-persistence-technique...
Third Party Advisory http://www.securityfocus.com/bid/97024
31
/ 100
moderate-risk
Severity 21/34 · High
Exploitability 1/34 · Minimal
Exposure 9/34 · Low