PoC for Arcserve UDP authentication bypass flaw published (CVE-2023-26258)

An authentication bypass vulnerability (CVE-2023-26258) in the Arcserve Unified Data Protection (UDP) enterprise data protection solution can be exploited to compromise admin accounts and take over vulnerable instances, MDSec researchers Juan Manuel Fernández and Sean Doherty have found – and have released a PoC exploit for it.

CVE-2023-26258, a PoC exploit and additional tools

CVE-2023-26258 was discovered during a simulation of a ransomware attack.

“The [MDSec ActiveBreach red team was] attempting to compromise the organization’s backup infrastructure,” the researchers explained.

“Within minutes of analysing [ArcServe UDP] code, a critical authentication bypass was discovered that allowed access to the administration interface.”

They detailed the exploitation process and published tools and a PoC exploit that can be used (by pentesters on the local network) to:

• Find Arcserve UDP instances with default configuration (and default database credentials)
• Exploit the vulnerability to obtain a valid administrator session, and
• Retrieve encrypted admin credentials and decrypt them

“Even if the vulnerability is patched, it is possible to obtain the credentials of the administrator user in different ways. Of course, all of them imply certain privileges or default credentials,” they added.

Patches are available

“At this time, Arcserve is not aware of any active attempts to exploit this vulnerability,” the company said on Tuesday, when it pushed out fixes for the flaw.

CVE-2023-26258 affects Arcserver UDP versions 7.0 to 9.0 – UDP 6.x and older versions are not affected. The vulnerability also does not affect the Arcserve UDP Linux Agent.

The vulnerability can be fixed by upgrading to one of the fixed versions or by implementing patches (if upgrading is not immediately possible).

“We strongly recommend all the users upgrade to UDP 9.1 (Windows) – which can be done via built-in auto-update in UDP version 9 or using the 9.1 RTM build for fresh deployments and old versions,” the company advises.

“When using the manual patches, these need to be run individually on each Windows node. Priority should be given to any RPS that is exposed on public internet ports.”

According to MDSec’s disclosure timeline, it took over four months for Arcserve to confim the researchers’ findings and release patches, initially without crediting the discovery of the vulnerability to Fernández and Doherty. They have since rectified that oversight.