CVE-2023-26258 – a critical authentication bypass vulnerability – has been discovered in ArcServe UDP, and allows access to the administration interface.
Here’s what you need to know:
What is CVE-2023-26258?
CVE-2023-26258 is a high-severity security flaw in Arcserve’s Unified Data Protection (UDP) backup software. Discovered by security researchers Juan Manuel Fernandez and Sean Doherty from the MDSec ActiveBreach red team, this vulnerability allows attackers to bypass authentication and gain administrative privileges. The researchers found the critical authentication bypass within minutes of analyzing the code – it provides access to the administration interface.
Arcserve UDP is a data and ransomware protection solution designed to help customers prevent ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity. The vulnerability can be exploited in versions 7.0 to 9.0 of the software, potentially leading to a critical Remote Code Execution vulnerability in ArcServe’s UDP Backup.
Does CVE-2023-26258 affect me?
If you are running Arcserve UDP versions 7.0 up to 9.0, you are potentially vulnerable. The flaw allows attackers on the local network to access the UDP admin interface by capturing SOAP requests containing AuthUUIDs to get valid administrator sessions. These sessions, in turn, can be used to decrypt admin credentials with relative ease. Once obtained, these admin credentials could allow threat actors to destroy data by wiping backups in ransomware attack.
Has CVE-2023-26258 been actively exploited in the wild?
While the vulnerability has been identified and proof-of-concept exploits have been created by the MDSec ActiveBreach red team, there are currently no public reports of this vulnerability being actively exploited in the wild. However, the researchers have shared tools that can be used to identify vulnerable Arcserve UDP instances with default configurations on local networks and exploit the authentication bypass to retrieve and decrypt credentials. This means that if an Arcserve version is not patched, it is possible to exploit the vulnerability to gain administrative access.
How to fix CVE-2023- 26258
On June 27, four months after the bug was initially discovered and reported, Arcserve released UDP 9.1 to fix the vulnerability.
However, it’s important to note that if a targeted server uses a default configuration and default MSSQL database credentials, an attacker could still potentially obtain the admin credentials, even if the server is already patched against CVE-2023-26258.
The MDSec ActiveBreach researchers also outlined a few methods by which an attacker could potentially obtain the credentials of the administrator user, either by pulling credentials from the database if the MSSQL database is still configured with the default credentials, or by using the Windows Registry if they have a domain/local user with enough privileges.
This emphasizes the importance of not only updating ArcServe UDP to the patched version but also changing any default configurations and credentials to ensure the best possible security
For environments that cannot easily upgrade, ArcServe also provided these manual patches for the following older versions of UDP:
Fix for CVE-2023-26258 – UDP 7.0 u2
Fix for CVE-2023-26258 – UDP 8.1
Fix for CVE-2023-26258 – UDP 9.0
Note: UDP 6.x and older versions are not impacted by this vulnerability.
Each new vulnerability is a reminder of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- CVSS v4.0 – what you need to know
- Can you trust ChatGPT’s package recommendations?
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- OWASP Top 10 vulnerabilities 2022: what we learned
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.