CVE-2024-11128
Published: 13 January 2025
Summary
CVE-2024-11128 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Bitdefender Virus Scanner. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Dylib Hijacking (T1574.004); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-11128 is a vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for macOS. The issue arises from the absence of Hardened Runtime or Library Validation signing, which allows dynamic library (DYLD) injection without being blocked by Apple Mobile File Integrity (AMFI). This affects Bitdefender Virus Scanner versions prior to 3.18 and has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), mapped to CWE-269.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Exploitation enables injection of arbitrary dynamic libraries into the Virus Scanner process, potentially resulting in high confidentiality, integrity, and availability impacts on the affected system.
The Bitdefender security advisory at https://www.bitdefender.com/support/security-advisories/insufficient-hardened-runtime-or-library-validation-signing-in-bitdefender-virus-scanner-for-macos/ addresses this issue, with mitigation achieved by updating to version 3.18 or later, which resolves the lack of required signing protections.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34317
Vulnerability details
A vulnerability in the BitdefenderVirusScanner binary as used in Bitdefender Virus Scanner for MacOS may allow .dynamic library injection (DYLD injection) without being blocked by AppleMobileFileIntegrity (AMFI). This issue is caused by the absence of Hardened Runtime or Library Validation…
more
signing. This issue affects Bitdefender Virus Scanner versions before 3.18.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing Hardened Runtime/Library Validation directly enables arbitrary dylib injection (DYLD hijacking) into the target process.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires digital signing of software components, directly addressing the absence of Hardened Runtime or Library Validation signing that enables DYLD injection.
Mandates timely flaw remediation through patching, which resolves the vulnerability by updating to version 3.18 with proper signing protections.
Enforces software integrity verification including signature checks, mitigating unauthorized library injection by detecting changes to the VirusScanner binary.