Arcserve Unified Data Protection fixes authentication bypass flaw, exploit published
Take action: Another difficult challenge for system admins - upgrade of a backup server. You may want to discus whether an attacker is possible on your local network, but try to push through and patch the system. Because an attacker will eventually be on your local network.
Learn More
Arcserve has released released UDP 9.1 to fix the authentication bypass vulnerability (CVE-2023-26258) in the Arcserve Unified Data Protection (UDP) enterprise data protection solution.
The vulnerability allows attackers to compromise admin accounts and take control of vulnerable instances.
During a simulation of a ransomware attack, the researchers quickly identified a critical authentication bypass in Arcserve UDP that granted access to the administration interface.
They have released a proof-of-concept (PoC) exploit and additional tools scanning tools enabling security engineers to locate Arcserve UDP instances with default configurations, and to confirm exploitability the vulnerability to gain a valid administrator session, and retrieve and decrypt encrypted admin credentials.
Arcserve has released patches for the flaw and stated that there have been no active exploitation attempts reported.
The vulnerability affects Arcserve UDP versions 7.0 to 9.0, excluding UDP 6.x and older versions, and does not impact the Arcserve UDP Linux Agent.
Users are advised to upgrade to UDP 9.1 (Windows) through built-in auto-update or by using the 9.1 RTM build for fresh deployments and older versions. If immediate upgrading is not feasible, patches individually on each Windows node is recommended, with priority given to exposed nodes exposed on public internet ports.
Naturally, blocking internet ports is an temporary solution as well.
