Backdoor in M.E.Doc software

Published: 2017-06-27 | Updated: 2017-07-02

Risk	Critical
Patch available	YES
Number of vulnerabilities	1
CVE-ID	N/A
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	This vulnerability is being exploited in the wild.
Vulnerable software	M.E.Doc Client/Desktop applications / Other client software
Vendor	M.E.Doc

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Backdoor

EUVDB-ID: #VU11139

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: N/A

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The security issue exists due to presence of backdoor code in updates, distributed from the official website. After update installation, the system becomes infected with NotPetya ransomware.

Malware, present in the code, also performs various attempts to infect other systems.

Mitigation

The vendor has issued version 10.01.190 which does not contain backdoor.

Vulnerable software versions

M.E.Doc: 10.01.188 - 10.01.189

CPE2.3

External links

https://www.facebook.com/medoc.ua/posts/1909626612658250
https://load.medoc.ua/distr/medoc_10.01.190.zip

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.