Vulnerability identifier: #VU7892
Vulnerability risk: Critical
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-798
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Xlpd
Client/Desktop applications /
Office applications
Xmanager Enterprise
Server applications /
Remote management servers, RDP, SSH
Xmanager
Server applications /
Remote management servers, RDP, SSH
Xshell
Server applications /
Remote management servers, RDP, SSH
Xftp
Client/Desktop applications /
File managers, FTP clients
Vendor: NetSarang Computer
Description
The vulnerability allows a remote attacker to gain complete control over affected system.
The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Xlpd: 5.0 Build 1220
Xmanager Enterprise: 5.0 Build 1232
Xmanager: 5.0 Build 1045
Xshell: 5.0 Build 1322
Xftp: 5.0 Build 1218
External links
http://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
http://securelist.com/shadowpad-in-corporate-networks/81432/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.