CVE-2021-3485: 
Bitdefender Endpoint Security Tools vulnerability analysis and mitigation

CVE-2021-3485 is an Improper Input Validation vulnerability discovered in the Product Update feature of Bitdefender Endpoint Security Tools for Linux. The vulnerability was identified on April 7, 2021, and publicly disclosed on May 24, 2021. It affects Bitdefender Endpoint Security Tools for Linux versions prior to 6.2.21.155 (Bitdefender Advisory).

The vulnerability exists in the DownloadFile function of the product-update bash script, which uses wget with the --no-check-certificate flag for downloading updates. The implementation uses an insecure channel for communication, and the update mechanism called 'product-update' performs downloads over HTTP instead of HTTPS. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (HeroLab Advisory, Bitdefender Advisory).

If successfully exploited, this vulnerability allows an attacker in a man-in-the-middle position to achieve remote code execution with root privileges on the affected system (HeroLab Advisory).

The vulnerability has been fixed in Bitdefender Endpoint Security Tools for Linux version 6.2.21.155. An automatic update to this version addresses the issue. The vendor recommends implementing industry-proven schemes for software updates, including using secure communication channels and signing update binaries with manufacturer private keys (Bitdefender Advisory, HeroLab Advisory).