Backdoor in NetSarang Computer products - #VU7892
Published: August 16, 2017 / Updated: November 22, 2018
Vulnerability identifier: #VU7892
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: N/A
CWE-ID: CWE-798
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: NetSarang Computer
Affected software:
Xlpd
Xmanager Enterprise
Xmanager
Xshell
Xftp
Xlpd
Xmanager Enterprise
Xmanager
Xshell
Xftp
Detailed vulnerability description
The vulnerability allows a remote attacker to gain complete control over affected system.
The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
Remediation
Install update from vendor's website.