Arcserve has recently launched a security update to resolve a severe authentication bypass vulnerability known as CVE-2023-26258, in their ArcServe UDP Backup software.
Arcserve UDP is a data protection solution created to assist customers in safeguarding against ransomware attacks, recovering compromised data, and ensuring uninterrupted business operations.
An unauthenticated remote attacker could exploit this authentication bypass vulnerability to gain administrative privileges on the affected system.
On June 27, Arcserve released UDP 9.1, an update aimed at addressing the vulnerability CVE-2023-26258, which was identified and reported four months prior by security researchers Juan Manuel Fernandez and Sean Doherty from MDSec’s ActiveBreach.
Using administrative credentials, attackers have the ability to erase target data by deleting backups during ransomware attacks.
Furthermore, researchers from MDSec ActiveBreach noted that default MSSQL database credentials can be leveraged to acquire administrative credentials, even if the targeted server has been patched for CVE-2023-26258 but is still utilizing the default configuration.
MDSec also provided proof-of-concept exploits and tools that facilitate the scanning of local networks for Arcserve UDP instances with default configurations. Additionally, by exploiting the authentication bypass present in the management interface, these tools can retrieve and decrypt credentials.
Affected organisations are encouraged to review the Arcserve UDP Security Fix update – CVE-2023-26258 advisory and apply any relevant updates