Backdoor in NetSarang software



Published: 2017-08-16
Risk Critical
Patch available YES
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-798
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
Xlpd
Client/Desktop applications / Office applications

Xmanager Enterprise
Server applications / Remote management servers, RDP, SSH

Xmanager
Server applications / Remote management servers, RDP, SSH

Xshell
Server applications / Remote management servers, RDP, SSH

Xftp
Client/Desktop applications / File managers, FTP clients

Vendor NetSarang Computer

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Backdoor

EUVDB-ID: #VU7892

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-798 - Use of Hard-coded Credentials

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain complete control over affected system.

The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.

The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.

The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Xlpd: 5.0 Build 1220

Xmanager Enterprise: 5.0 Build 1232

Xmanager: 5.0 Build 1045

Xshell: 5.0 Build 1322

Xftp: 5.0 Build 1218

External links

http://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
http://securelist.com/shadowpad-in-corporate-networks/81432/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###