Backdoor in NetSarang software

Published: 2017-08-16 12:34:14 | Updated: 2017-08-16 12:35:31
Severity Critical
Patch available YES
Number of vulnerabilities 1
CVSSv2 8.7 (AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)
CVSSv3 9.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE ID N/A
CWE ID N/A
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software Xlpd
Xmanager Enterprise
Xmanager
Xshell
Xftp
Vulnerable software versions Xlpd 5.0 Build 1220
Xmanager Enterprise 5.0 Build 1232
Xmanager 5.0 Build 1045
Xshell 5.0 Build 1322
Xftp 5.0 Build 1218
Vendor URL NetSarang Computer
Advisory type Public

Security Advisory

1) Backdoor

Description

The vulnerability allows a remote attacker to gain complete control over affected system.

The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.

The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.

The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.

Remediation

Install update from vendor's website.

External links

https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
https://securelist.com/shadowpad-in-corporate-networks/81432/

Back to List