Following the public disclosure of the zero-day last week, Netsweeper promises to improve its communication with security researchers
UPDATED Netsweeper claims to have patched a pre-authentication remote code execution (RCE) vulnerability in the firm’s content filtering software.
The critical vulnerability was made public on April 28 by Noam Rathaus following weeks of unsuccessful attempts by the Beyond Security co-founder to contact Netsweeper to fix the problem.
Netsweeper software is used for content filtering and to block websites, including pornographic and gambling-related domains. A real-time monitoring solution for students has also recently been released.
The bug was said to impact Netsweeper webadmin versions 6.4.3 and below.
Hijacking traffic channels
As previously reported by The Daily Swig, Rathaus said the security flaw could be used by attackers not only to tamper with content filtering, but also to hijack traffic channels and redirect users to malicious domains.
At the time, Netsweeper did not respond to requests concerning upcoming patches to resolve the vulnerability.
On May 5, the company contacted us with an update, saying that “upon discovery” of the bug – although whether this relates to Rathaus’ disclosure or an in-house team’s findings is unclear – “the Netsweeper team immediately issued a statement and patch to all our customers, for all versions of our software.
In a further update on May 6, Netsweeper told The Daily Swig that upon the public disclosure of the vulnerability on April 28, a patch was created. Customers were directly informed via email and urged to update.
According to the company, Netsweeper engineers “worked closely with several of our customers to ensure the patch was properly applied”.
The patch will be included in all new releases, however, the company has not shared the technical details of the fix.
“Netsweeper treats the security of our product and the security of our customers’ data with the utmost importance,” the spokesperson added.
“Our engineers have worked closely with customer technical teams to ensure their systems were patched.”
In relation to Rathaus’ public disclosure and unsuccessful attempts to disclose the issue directly, Netsweeper said that the firm has bumped cybersecurity disclosures up the priority list and has both “reviewed and addressed our internal procedures to improve the identification and coordination of communications with security researchers”.
This article has been updated to include additional comment from Netsweeper.