WARNING: THREE VULNERABILITIES IN ARCSERVE UDP SOFTWARE DEMAND URGENT ACTION, PATCH IMMEDIATELY!
CVE-2024-0799
CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-0800
CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE-2024-0801
CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
- https://support.arcserve.com/s/article/P00003050?language=en_US
- https://support.arcserve.com/s/article/P00003059?language=en_US
Risques
Three high risk and critical vulnerabilities, CVE-2024-0799, CVE-2024-0800 and CVE-2024-0801, affecting Arcserve UDP Software, a backup and disaster recovery solution, were disclosed..
The exploitation of these vulnerabilities could allow unauthorized attackers to bypass authentication mechanisms, to upload malicious files, or even to crash critical backup systems.
A compromise of Arcserve UDP software could result in:
- Data Exfiltration, as threat actors could gain access to sensitive backups of corporate information.
- Ransomware Deployment, as the exploitation of the flaws permit malicious files to be uploaded to the backup server and to be used to launch crippling ransomware attacks.
- Disrupted Recovery: Denial-of-service attacks on backup systems could impede an organization’s ability to restore data in the event of a cyber incident.
There is no available information yet about the vulnerabilities being exploited in the wild by threat actors, but a PoC was released, thus increasing the risks of future exploitation by cyber threat actors.
Description
CVE-2024-0799 is an Authentication Bypass critical vulnerability that allows a remote, unauthenticated attacker to completely bypass login protection and gain unrestricted access to management functions within the Arcserve UDP console.
CVE-2024-0800 is a Path Traversal vulnerability that allows an authenticated attacker to upload arbitrary files anywhere on the system hosting the Arcserve UDP console.
This could lead to the deployment of malware or further system compromise, particularly dangerous as uploads execute with SYSTEM privileges.
It is worth mentioning that CVE-2024-0799 and CVE-2024-0800 can be chained together with devastating consequences
CVE-2024-0801 is a Denial of Service vulnerability, which ,while less directly exploitable still poses a risk as attackers without authentication can trigger a crash in Arcserve UDP by simply sending crafted login requests.
The affected version are: Arcserve UDP versions 9.2 and 8.1.
Actions recommandées
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Arcserve customers should urgently download and install the relevant patches from the official Arcserve support portal.
- For Arcserve UDP 8.1, Patch P00003059 can be found here:
https://support.arcserve.com/s/article/P00003059
- For Arcserve UDP 9.2, Patch P00003050 can be found here:
https://support.arcserve.com/s/article/P00003050
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.