Warning: Authentication bypass vulnerability on Arcserve UDP
CVE-2023-26258
Sources
Risks
Exploitation of CVE-2023-26258 allows an attacker to wipe the victim's backups, making it very likely for this exploit to be used in ransomware attacks. Although local access to the network is needed, a successful attack can have severe impact to the confidentiality, the integrity, and the availability of a company’s backup infrastructure.
Description
An authentication bypass vulnerability in Arcserve UDP Backup software versions 7.0 up to 9.0, can allow an attacker with access to the local network to gain access to the administrator interface, after obtaining easy-to-decrypt admin credentials by capturing SOAP requests containing AuthUUIDs to get valid administrator sessions.
Researchers warn that even if the vulnerability is patched, administrator credentials can be retrieved if the database uses the default configuration and the default credentials. The vulnerability tracked as CVE-2023-26258 has no CVSS3.0 score yet but is estimated with a high severity.
A proof-of-concept (PoC) is available. No exploitation is observed in the wild yet.
Recommended Actions
The Centre for Cybersecurity Belgium strongly recommends system administrators to take the following actions:
- Patch you systems after thorough testing according to the vendors instructions.
- Make sure your database is not configured with the default configuration and doesn't use the default credentials.