A critical authentication bypass of an Arcserve backup system was found by an MDSec ActiveBreach red team during a routine red team simulation of the system.
In a research post, the MDSec ActiveBreach researchers detailed the vulnerability’s exploitation process and published tools and a proof-of-concept (PoC) exploit for use by other pen testers. The researchers found that threat actors can exploit the backup systems to compromise admin accounts and take over vulnerable backups.
The authentication bypass vulnerability (CVE-2023-26258) was found in the Arcserve Unified Data Protection (UDP) enterprise data protection product. According to its website, Arcserve backup products are widely used -- the company has more than 235,000 customers globally.
According to Arcserve, the bug affects all backup systems running Arcserve UDP 7.0 up to 9.0. This vulnerability lets attackers who gain access to a local network take over the UDP admin interface and then obtain valid admin sessions.
The MDsec ActiveBreach researchers first shared a CVE with Arcserve on February 21, two weeks after a support ticket was opened. By March 28, Arcserve told MDsec that they needed more time for investigation. It wasn’t until June 21 that a hotfix was prepared and on June 27 Arcserve released a patch.
Earlier this week, Arcserve "strongly recommended" that all users upgrade to the UDP 9.1 Windows version, which security teams can do via a built-in auto-update in UDP Version 9 or using its 9.1 RTM build for fresh deployments and old versions.
It’s important for security teams to move on these CVEs because in 2021, for example, Rapid7 researchers found more than half of the vulnerabilities it tracked were exploited within seven days of public disclosure -- and 58 percent within two weeks.
Arcserve said it is not aware of any “active attempts” to exploit the vulnerability. “At this time, no third-party vulnerability scanner is detecting this vulnerability – but overtime it might be detected by some of the vulnerability scanners,” said Arcserve.
