CVE-2023-6154 ‒ Local Privilege Escalation in Bitdefender Total Security
Description
Bitdefender Total Security is a security product that protects endpoints from malware and detects attacks.
The fixed vulnerability enabled attackers with existing access to a system to elevate their privileges to SYSTEM.
Vulnerability
The vulnerability abused a trust relationship between frontend processes running in the context of an unprivileged user and privileged backend processes running as SYSTEM.
It was possible to abuse COM hijacking to inject a DLL into the frontend process of Bitdefender Total Security.
More specifically, this was possible by hijacking the interface with the GUID {9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}, which originally loads the dataexchange.dll file.
The frontend process has a trust relationship with the backend processes of Bitdefender Total Security, which run as a SYSTEM.
One command that could be issued by the frontend allowed attackers to write to the registry.
Attacks could issue this command to write data to the registry using the DLL they injected via COM hijacking.
Attackers could potentially use this primitive to overwrite a service’s application path and gain SYSTEM privileges.
Mitigations
Install a current version of Bitdefender Total Security. This vulnerability was fixed in version 27.0.25.115.
Timeline
| Date | Action |
|---|---|
| 19.10.2023 | Vendor was contacted and informed about the vulnerability |
| 19.10.2023 | Initial response from vendor |
| 15.11.2023 | Vendor informs us that a fix is available for testing |
| 01.04.2024 | Vendor released advisory |