A group of red team researchers have identified a critical authentication bypass of an Arcserve backup system.
The researchers detailed about vulnerability exploitation process and published tools and a PoC exploit for use by other pen testers. The threat actors can exploit the backup systems to compromise admin accounts and take over vulnerable backups.
The authentication bypass vulnerability tracked as CVE-2023-26258 was found in the Arcserve Unified Data Protection (UDP) enterprise data protection product. The bug affects all backup systems running Arcserve UDP 7.0 up to 9.0. This vulnerability lets attackers who gain access to a local network take over the UDP admin interface and then obtain valid admin sessions.
The researchers first shared a CVE with Arcserve on February 21, two weeks after a support ticket was opened. By March 28, Arcserve told that they needed more time for investigation. It wasn’t until June 21 that a hotfix was prepared and on June 27 Arcserve released a patch.
Earlier this week, Arcserve strongly recommended that all users upgrade to the UDP 9.1 Windows version, which can be performed via a built-in auto-update in UDP Version 9 or using its 9.1 RTM build for fresh deployments and old versions.
Arcserve said it is not aware of any “active attempts” to exploit the vulnerability. At this time, no third-party vulnerability scanner is detecting this vulnerability – but overtime it might be detected by some of the vulnerability scanners.