PoCs for critical Arcserve UDP vulnerabilities released
Arcserve has fixed critical security vulnerabilities (CVE-2023-41998, CVE-2023-41999, CVE-2023-42000) in its Unified Data Protection (UDP) solution, PoCs for which have been published by Tenable researchers on Monday.
The vulnerabilities
Arcserve UDP is a popular enterprise data protection, backup and disaster recovery solution that improves organizations’ resilience to ransomware attacks.
CVE-2023-41998 is a vulnerability in the solution’s com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface that may allow an unauthenticated, remote attacker to uploade and execute arbitrary files (and code) remotely via the downloadAndInstallPath() routine within the interface.
“For example, when triggering this method, a malicious actor can cause the service to download a zip file from an attacker-controlled URL to
CVE-2023-41999 is a vulnerability in the solution’s management console that may allow an unauthenticated remote attacker to obtain a valid authentication UUID to login to the console.
“Once authenticated, the attacker can perform actions that require authentication. For example, the attacker can grab the ‘Edge Account’ (i.e., Administrative) credentials,” the researchers noted.
Finally, CVE-2023-42000 is a path traversal vulnerability that may allow an unauthenticated remote attacker to upload arbitrary files to any location on the file system where the UDP agent is installed.
The vulnerabilities affect Arcserve UDP versions prior to v9.2.
Fixes are available
The flaws were unearthed by Tenable researchers and privately disclosed to Arcserve in late August 2023.
“We strongly recommend you upgrade to Arcserve UDP 9.2 as soon as possible,” the company advised. This can be done via the built-in auto-update funtionality or by downloading and deploying the 9.2 RTM build.
Arcserve has also provided manual patches for older (supported) versions of Arcserve UDP: 9.1., 8.1, and 7.0 Update 2 (these must be run individually on each node).