Arcserve Unified Data Protection fixes critical vulnerabilities

Arcserve has fixed a series of critical security vulnerabilities in its Unified Data Protection (UDP) platform which could enable attackers to upload malicious files to the underlying Windows system.

• CVE-2024-0799 (CVSS score 9.8) is an authentication bypass flaw that allows unauthenticated remote attackers to bypass login procedures by sending a specially crafted POST HTTP request to the /management/wizardLogin endpoint without the password parameter. Successfully exploiting this vulnerability enables attackers to perform tasks within the UDP Console that typically require authentication.
• CVE-2024-0800 (CVSS score 8.8), a path traversal vulnerability, permits authenticated attackers to upload arbitrary files to any directory on the file system where the UDP Console is installed. When CVE-2024-0799 and CVE-2024-0800 are exploited together, as demonstrated in Tenable’s Proof of Concept (PoC), attackers can upload files without prior authentication, executing the upload operation under the security context of SYSTEM, thus elevating the severity of the attack.
• CVE-2024-0801 (CVSS score 7.5), allows unauthenticated attackers to terminate the software process, potentially leading to a denial of service and disrupting  backup and disaster recovery operations.

Tenable researchers have published a PoC exploit script demonstrating the attack

Arcserve has released security patches for UDP versions 9.2 and 8.1 to address these vulnerabilities. Users are strongly encouraged to apply these patches to every machine that utilizes the UDP console to mitigate the risks associated with these vulnerabilities and ensure the integrity and security of their data protection infrastructure.