Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges.
According to the company, Arcserve UDP is a data and ransomware protection solution designed to help customers thwart ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity.
Arcserve released UDP 9.1 to fix the vulnerability (tracked as CVE-2023-26258) on June 27, four months after the bug was found and reported by security researchers Juan Manuel Fernandez and Sean Doherty with MDSec’s ActiveBreach red team.
“During a recent adversary simulation, the MDSec ActiveBreach red team [was] performing a ransomware scenario, with a key objective set on compromising the organization’s backup infrastructure,” the researchers said.
“Within minutes of analysing the code, a critical authentication bypass was discovered that allowed access to the administration interface.”
On systems running Arcserve UDP 7.0 up to 9.0, the flaw enables attackers on the local network to access the UDP admin interface after obtaining easy-to-decrypt admin credentials by capturing SOAP requests containing AuthUUIDs to get valid administrator sessions.
The admin credentials could allow threat actors to destroy the targets’ data by wiping the backups in ransomware attacks.
The MDSec ActiveBreach researchers added that a pair of default MSSQL database credentials could also be used to obtain the admin credentials if the targeted server is already patched against CVE-2023-26258 and uses a default config.
MDSec also shared proof-of-concept exploits and tools that can be used to scan for Arcserve UDP instances with default configuration on local networks, as well as retrieve and decrypt credentials by exploiting the authentication bypass in the management interface.
“If the attacker is positioned on the local network, scans can be performed to find instances using default configurations using ArcServeRadar.py,” MDSec explains.
“Finally, if the ArcServe version was not patched (CVE-2023-26258) it is possible to exploit an authentication bypass in the management web interface and retrieve the admin creds (ArcServe-exploit.py). All the passwords retrieved by the tools can be decrypted using ArcServeDecrypter.exe.”
While MDsec exchanged more than a dozen messages with the Arcserve team during the disclosure process and was asked how they wanted to be credited, the final line in the disclosure timeline shared at the end of the report says, “ArcServe releases the patch without credits.”
Arcserve says its data protection products help safeguard the data of roughly 235,000 customers across 150 countries.