Backdoor in NetSarang software
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-798 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Xlpd Client/Desktop applications / Office applications Xmanager Enterprise Server applications / Remote management servers, RDP, SSH Xmanager Server applications / Remote management servers, RDP, SSH Xshell Server applications / Remote management servers, RDP, SSH Xftp Client/Desktop applications / File managers, FTP clients |
| Vendor | NetSarang Computer |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) Backdoor
EUVDB-ID: #VU7892
Risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: N/A
CWE-ID:
CWE-798 - Use of Hard-coded Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain complete control over affected system.
The weakness exists due to presence of backdoor functionality in the nssock2.dll library. After installation, the backdoor ShadowPad activates itself by sending a DNS TXT request for a specific domain. After successful activation, a remote attacker can gain full access to the affected system.
The backdoor has the ability to connect to a malicious C&C server and executed commands, sent by malicious actors.
The backdoor was discovered on August 4, 2017 by Kaspersky Labs researchers.
Install update from vendor's website.
Xlpd: 5.0 Build 1220
Xmanager Enterprise: 5.0 Build 1232
Xmanager: 5.0 Build 1045
Xshell: 5.0 Build 1322
Xftp: 5.0 Build 1218
CPE2.3- cpe:2.3:a:netsarang_computer:xlpd:5.0 Build 1220:*:*:*:*:*:*:*
- cpe:2.3:a:netsarang_computer:xmanager_enterprise:5.0 Build 1232:*:*:*:*:*:*:*
- cpe:2.3:a:netsarang_computer:xmanager:5.0 Build 1045:*:*:*:*:*:*:*
- cpe:2.3:a:netsarang_computer:xshell:5.0 Build 1322:*:*:*:*:*:*:*
- cpe:2.3:a:netsarang_computer:xftp:5.0 Build 1218:*:*:*:*:*:*:*
https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html
https://securelist.com/shadowpad-in-corporate-networks/81432/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
