Vulnerability Note VU#403768
Akeo Consulting Rufus fails to update itself securely
Original Release date: 29 Aug 2017 | Last revised: 31 Aug 2017
Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system.
Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature checking of downloaded updates, it does not ensure that the update was signed by a trusted certificate authority (CA).
This lack of CA checking allows the use of a self-signed certificate.
Because of these two weaknesses, an attacker can subvert the update process to achieve arbitrary code execution.
An attacker on the same network as, or who can otherwise affect network traffic from, a Rufus user can cause the Rufus update process to execute arbitrary code.
Apply an update
This issue is addressed in Rufus 2.17.1187. Please also consider the following workarounds:
Don’t use built-in update capabilities
Because Rufus does not include the ability to securely install updates, any Rufus updates should be obtained from https://rufus.akeo.ie/ directly, using your web browser.
Avoid untrusted networks
Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedAkeo ConsultingAffected-29 Aug 2017If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
This issue was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
28 Aug 2017
Date First Published:
29 Aug 2017
Date Last Updated:
31 Aug 2017
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.