Critical vulnerability discovered in Arcserve backup software

11 months ago AndyC

Arcserve has patched a critical authentication bypass in its Unified Data Protection product that gave attackers control over the software’s web administration interface, and led to a remote code execution (RCE) attack.

Critical vulnerability discovered in Arcserve backup software

Arcserve has patched a critical authentication bypass in its Unified Data Protection product that gave attackers control over the software’s web administration interface, and led to a remote code execution (RCE) attack.

Discovered by researcher Juan Manuel Fernandez (@TheXC3LL) and MDSec’s Sean Doherty, CVE-2023-26258 affects UDP between version 7.0 and 9.0, and has been patched by Arcserve.

While exploring the login interactions between client and server, the two researchers spotted a variable called authUUID and method called validateUserByUuid.

They were then able to use that information to obtain access; as they described in this post, they got “a cookie with a session.”

From there, the researchers were then able to retrieve and decrypt the admin’s password, giving them complete control over the system, including RCE capabilities.

Fernandez and Doherty have posted their attack tools at GitHub.

According to the MDSec post, the pair first disclosed their findings to Arcserve on February 9, and the company posted its patch on June 27.

Arcserve said all UDP Windows agents and Recovery Point Servers need to be upgraded to 9.1, manually or via an automatic update.


About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

Sekuro Appoints its First Federal Government Security Advisor

Sekuro Appoints its First Federal Government Security Advisor

2 hours ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

5 hours ago AndyC
EU demands clarity on AI risks in Bing

EU demands clarity on AI risks in Bing

5 hours ago AndyC
Microsoft offers cloud customers AMD alternative to Nvidia AI processors

Microsoft offers cloud customers AMD alternative to Nvidia AI processors

5 hours ago AndyC
Digital ID bill passes parliament

Digital ID bill passes parliament

5 hours ago AndyC
Telstra brings Infosys into engineering transformation

Telstra brings Infosys into engineering transformation

5 hours ago AndyC

You may have missed

Sekuro Appoints its First Federal Government Security Advisor

Sekuro Appoints its First Federal Government Security Advisor

2 hours ago AndyC
Weekly Update 400

Weekly Update 400

2 hours ago AndyC
Macquarie Uni to spend up to 0m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

5 hours ago AndyC
EU demands clarity on AI risks in Bing

EU demands clarity on AI risks in Bing

5 hours ago AndyC
Microsoft offers cloud customers AMD alternative to Nvidia AI processors

Microsoft offers cloud customers AMD alternative to Nvidia AI processors

5 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.