Arcserve, a data protection provider, has patched a high-severity security vulnerability in its Unified Data Protection (UDP) backup software. This flaw could have allowed attackers to bypass authentication and acquire admin privileges. Arcserve UDP is a solution designed to help customers defend against ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity.
The vulnerability, tracked as CVE-2023-26258, was fixed with the release of UDP 9.1 on June 27, four months after it was discovered and reported by security researchers Juan Manuel Fernandez and Sean Doherty from MDSec's ActiveBreach red team. The researchers found the vulnerability while simulating a ransomware attack scenario where the primary objective was to compromise the organization's backup infrastructure. Within minutes of analyzing the code, they found a critical authentication bypass that allowed access to the administration interface.
The flaw, present in Arcserve UDP versions 7.0 to 9.0, could have allowed attackers on the local network to access the UDP admin interface after obtaining easily decryptable admin credentials by capturing SOAP requests containing AuthUUIDs. Arcserve strongly recommends users to upgrade to UDP 9.1, which can be done via the built-in auto-update in UDP version 9 or using the 9.1 RTM build for fresh deployments and old versions.
The researchers noted that threat actors could potentially destroy the targets' data by wiping the backups in ransomware attacks using the acquired admin credentials. Furthermore, a pair of default MSSQL database credentials could also be used to obtain the admin credentials if the targeted server is already patched against CVE-2023-26258 and uses a default config.
MDSec shared proof-of-concept exploits and tools that can be used to scan for Arcserve UDP instances with default configuration on local networks, as well as retrieve and decrypt credentials by exploiting the authentication bypass in the management interface.
Despite the extensive communication between MDSec and Arcserve during the disclosure process, the final line in the disclosure timeline states, "ArcServe releases the patch without credits." Arcserve's data protection products are used by approximately 235,000 customers across 150 countries.