WARNING: THREE VULNERABILITIES IN ARCSERVE UDP SOFTWARE DEMAND URGENT ACTION, PATCH IMMEDIATELY!

Image
Decorative image
Published : 15/03/2024

Reference:
Advisory #2024-43

Version:
1.0

Affected software:
Arcserve UDP versions 9.2 and 8.1

Type:
authentication bypass, path traversal and denial of service

CVE/CVSS:
CVE-2024-0799
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-0800
CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE-2024-0801
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Sources

Risks

Three high risk and critical vulnerabilities, CVE-2024-0799, CVE-2024-0800 and CVE-2024-0801, affecting Arcserve UDP Software, a backup and disaster recovery solution, were disclosed..

The exploitation of these vulnerabilities could allow unauthorized attackers to bypass authentication mechanisms, to upload malicious files, or even to crash critical backup systems.

A compromise of Arcserve UDP software could result in:

  • Data Exfiltration, as threat actors could gain access to sensitive backups of corporate information.
  • Ransomware Deployment, as the exploitation of the flaws permit malicious files to be uploaded to the backup server and to be used to launch crippling ransomware attacks.
  • Disrupted Recovery: Denial-of-service attacks on backup systems could impede an organization’s ability to restore data in the event of a cyber incident.

There is no available information yet about the vulnerabilities being exploited in the wild by threat actors, but a PoC was released, thus increasing the risks of future exploitation by cyber threat actors.

UPDATE 2024-05-13: NHS reported there have been possible exploitation attempts. 

Description

CVE-2024-0799 is an Authentication Bypass critical vulnerability that allows a remote, unauthenticated attacker to completely bypass login protection and gain unrestricted access to management functions within the Arcserve UDP console.

CVE-2024-0800 is a Path Traversal vulnerability that allows an authenticated attacker to upload arbitrary files anywhere on the system hosting the Arcserve UDP console.

This could lead to the deployment of malware or further system compromise, particularly dangerous as uploads execute with SYSTEM privileges.

It is worth mentioning that CVE-2024-0799 and CVE-2024-0800 can be chained together with devastating consequences

CVE-2024-0801 is a  Denial of Service vulnerability, which ,while less directly exploitable still poses a risk as attackers without authentication can trigger a crash in Arcserve UDP by simply sending crafted login requests.

The affected version are: Arcserve UDP versions 9.2 and 8.1.

Recommended Actions

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Arcserve customers should urgently download and install the relevant patches from the official Arcserve support portal.

  • For Arcserve UDP 8.1, Patch P00003059 can be found here:

https://support.arcserve.com/s/article/P00003059

  • For Arcserve UDP 9.2, Patch P00003050 can be found here:

https://support.arcserve.com/s/article/P00003050

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References