Vulnerability Note VU#403768
Akeo Consulting Rufus fails to update itself securely
Original Release date: 29 Aug 2017 | Last revised: 31 Aug 2017

Overview
Akeo Consulting Rufus fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code on a vulnerable system.

Description
Akeo Consulting Rufus 2.16 retrieves updates over HTTP. While Rufus does attempt to perform some basic signature checking of downloaded updates, it does not ensure that the update was signed by a trusted certificate authority (CA).

This lack of CA checking allows the use of a self-signed certificate.

Because of these two weaknesses, an attacker can subvert the update process to achieve arbitrary code execution.

Impact
An attacker on the same network as, or who can otherwise affect network traffic from, a Rufus user can cause the Rufus update process to execute arbitrary code.

Solution
Apply an update
This issue is addressed in Rufus 2.17.1187. Please also consider the following workarounds:
Don’t use built-in update capabilities

Because Rufus does not include the ability to securely install updates, any Rufus updates should be obtained from https://rufus.akeo.ie/ directly, using your web browser.

Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedAkeo ConsultingAffected-29 Aug 2017If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
5.8
AV:A/AC:L/Au:N/C:P/I:P/A:P

Temporal
5.2
E:F/RL:W/RC:C

Environmental
1.3
CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

https://insights.sei.cmu.edu/cert/2017/06/the-consequences-of-insecure-software-updates.html

https://rufus.akeo.ie/
https://github.com/pbatard/rufus/issues/1009
https://github.com/pbatard/rufus/commit/c3c39f7f8a11f612c4ebf7affce25ec6928eb1cb

Credit

This issue was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.

Other Information

CVE IDs:
CVE-2017-13083

Date Public:
28 Aug 2017

Date First Published:
29 Aug 2017

Date Last Updated:
31 Aug 2017

Document Revision:
20

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply