Zero-day vulnerability in CCleaner

Backdoor

Avast reported a security breach, which involved compromise of one of the CCleaner distribution servers. As a result, the adversary was able to distribute a backdoored version of CCleaner application between August 15 and September 12. The compromised version of CCleaner was distributed from the official vendor's website.

Vulnerability details

Advisory: SB2017091816 - Backdoor in CCleaner

Vulnerable component: CCleaner

CVE-ID:

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation

Description:

CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191 were shipped with a backdoor code from official vendorтАЩs website. The incident was detected on September 12.

The malicious version was released on August 15. Users, who downloaded CCleaner between August 15 and September 12, are affected.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.