Network Security, Vulnerability Management

Akeo Consulting Rufus bug allows remote code execution

The US Computer Emergency Response Team (CERT) has issued an advisory for a vulnerability in Akeo Consulting Rufus software that could allow an authenticated attacker to execute arbitrary code.

The vulnerability is due to the software failing to update itself securely and is due to Rufus not attempting to perform some basic signature checking of downloaded updates, according to the Aug. 29 advisory.

The software also retrieves its data over HTTP and does not ensure that the update was signed by a trusted certificate authority (CA) and could allow the use of a self-signed certificate which would allow the arbitrary code execution.

In order to execute the attack, the threat actor would need to be on the same network as a Rufus users or otherwise be in a position to affect network traffic.

Officials are currently unaware of a practical solution to the problem advice users to not use built-in update capabilities and to avoid untrusted networks.

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.