The US Computer Emergency Response Team (CERT) has issued an advisory for a vulnerability in Akeo Consulting Rufus software that could allow an authenticated attacker to execute arbitrary code.
The vulnerability is due to the software failing to update itself securely and is due to Rufus not attempting to perform some basic signature checking of downloaded updates, according to the Aug. 29 advisory.
The software also retrieves its data over HTTP and does not ensure that the update was signed by a trusted certificate authority (CA) and could allow the use of a self-signed certificate which would allow the arbitrary code execution.
In order to execute the attack, the threat actor would need to be on the same network as a Rufus users or otherwise be in a position to affect network traffic.
Officials are currently unaware of a practical solution to the problem advice users to not use built-in update capabilities and to avoid untrusted networks.