Vulnerability identifier: #VU7892

Vulnerability risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: N/A

CWE-ID: CWE-798

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Xlpd
Client/Desktop applications / Office applications
Xmanager Enterprise
Server applications / Remote management servers, RDP, SSH
Xmanager
Server applications / Remote management servers, RDP, SSH
Xshell
Server applications / Remote management servers, RDP, SSH
Xftp
Client/Desktop applications / File managers, FTP clients

Vendor: NetSarang Computer

Description
The vulnerability allows a remote attacker to gain complete control over affected system.

The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.

The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.

The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Xlpd: 5.0 Build 1220

Xmanager Enterprise: 5.0 Build 1232

Xmanager: 5.0 Build 1045

Xshell: 5.0 Build 1322

Xftp: 5.0 Build 1218

---

External links
http://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
http://securelist.com/shadowpad-in-corporate-networks/81432/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.