Re: Re: Vulnerability and compromised profiles (Zeroshell<3.0

Forums Network Management ZeroShell Vulnerability and compromised profiles (Zeroshell<3.0.0) Re: Re: Vulnerability and compromised profiles (Zeroshell<3.0


@fulvio wrote:


all versions of Zeroshell older than release 2.0.RC3 are vulnerable because of the possibility to execute code remotely via the web interface
in a non-authenticated mode. This well-documented vulnerability has been exploited to introduce an executable within the profiles that make connections to some DNS with the aim of producing a DDoS resulting bandwidth consumption.
Even the release 2.0.RC3 may be subject to the attack if the configuration profile comes from a previous version already compromised. The release 3.0.0 is able to detect a compromised profile and clean it. It is recommended, in view of the gravity of the problem, to migrate as soon as possible to release 3.0.0 to be sure that Zeroshell is not running a compromised profile.


Thank you for the information.