Multiple Critical Vulnerabilities in Arcserve UDP
Proof-of-concept have been released for three critical vulnerabilities
Summary
Proof-of-concept have been released for three critical vulnerabilities
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
ArcServe, a data protection, replication and recovery solutions provider have released a security advisory addressing three critical vulnerabilities affecting Arcserve Unified Data Protection (UDP).
Vulnerability details
- CVE-2023-41998 - CWE-94 - Improper Control of Generation of Code ('Code Injection')
This is a remote code execution (RCE) vulnerability, with a CVSS score of 9.8, which could allow a remote, unauthenticated attacker to perform remote code execution.
- CVE-2023-41999 - CWE-287 - Improper Authentication
This is an authentication bypass vulnerability, with a CVSS score of 9.8, which could allow a remote, unauthenticated attacker to log in to the console and obtain user credentials.
- CVE-2023-42000 - CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
This path traversal vulnerability, with a CVSS score of 9.8, which could allow a remote, unauthenticated attacker to upload arbitrary files to any location on the file system where the UDP agent is installed.
Proof-of-concept available
Proof-of-concept exploit code is available for CVE-2023-41998, CVE-2023-41999 and CVE-2023-42000.
Remediation advice
Affected organisations are encouraged to review the Arcserve UDP Security Fix update - P00002983 and apply any relevant updates.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 8 December 2023 1:55 pm