Linux BPFDoor Detection (Direct Check)

critical Nessus Plugin ID 161761

Synopsis

Nessus detected a BPFDoor instance listening on the remote host.

Description

The remote system responds to requests typically seen by BPFDoor, a backdoor payload for Linux that is often deployed by malware to gain re-entry to a device. This plugin will open a callback on the scanner and listen for the BPFDoor response. As such, it will not work with cloud based scanners.

This plugin will attempt to send the BPFDoor payload to any open port on the scan target. If no ports are known to be open, it will attempt to send a packet to UDP 68, if the preference 'Consider unscanned ports as closed' is set to 'no.' The plugin will also validate that a response to the callback looks correct. If you wish to catch even unknown responses, you may set 'Show potential false alarms.'

See Also

http://www.nessus.org/u?212a1f40

Plugin Details

Severity: Critical

ID: 161761

File Name: bpfdoor_remote_detect.nbin

Version: 1.6

Type: remote

Family: Backdoors

Published: 6/1/2022

Updated: 11/30/2022

Risk Information

CVSS Score Rationale: The system is suspected as being infected by malware.

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H