Possible Exploitation of Arcserve Unified Data Protection (UDP) Vulnerabilities
Proof-of-concept exploit code was released for three vulnerabilities in March 2024
Summary
Proof-of-concept exploit code was released for three vulnerabilities in March 2024
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
Possible exploitation has been reported for three vulnerabilities affecting Arcserve Unified Data Protection (UDP), a widely used backup and disaster recovery solution.
Vulnerability details
- CVE-2024-0799 - CWE-287 - Improper Authentication
- This is an authentication bypass vulnerability with a CVSSv3 score of 9.8, which an unauthenticated remote attacker could exploit by sending a POST HTTP message without the password parameter to endpoint /management/wizardLogin. Once authenticated, the attacker can perform UDP Console tasks that require authentication.
- CVE-2024-0800 - CWE-434 - Unrestricted Upload of File with Dangerous Type
- This path traversal vulnerability with a CVSSv3 score of 8.8 could allow an authenticated, remote attacker to upload arbitrary files to any directory on the file system where the UDP Console is installed. The upload operation is carried out under the security context of SYSTEM.
- CVE-2024-0801 - This denial-of-service vulnerability is still being assessed by the US National Vulnerability Database.
Proof-of-concept available and possible exploitation attempts have been reported
Arcserve published their security advisory for the vulnerabilities in March 2024. A cyber security company released details of their proof-of-concept code for CVE-2024-0799, CVE-2024-0800, and CVE-2024-0801 on the following day.
Possible exploitation attempts of Arcserve UDP soon followed.
Remediation advice
Affected organisations are strongly encouraged to review the Security Fix update – CVE-2024-0799; CVE-2024-0800; CVE-2024-0801 Arcserve advisory and apply any relevant updates.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 9 May 2024 3:51 pm