CVE-2018-13417

Name of the Vulnerable Software and Affected Versions Vuze Bittorrent Client version 5.7.6.0

Description The XML parsing engine for SSDP/UPnP functionality in Vuze Bittorrent Client is vulnerable to an XML External Entity Processing (XXE) attack. This allows remote, unauthenticated attackers to access arbitrary files from the filesystem with the same permission as the user account running Vuze. Additionally, attackers can initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or relay a NetNTLM challenge/response to achieve Remote Command Execution in Windows domains.

Recommendations For Vuze Bittorrent Client version 5.7.6.0, consider disabling the SSDP/UPnP functionality as a temporary workaround until a patch is available. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using the vulnerable XML parsing engine for SSDP/UPnP functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.