A critical vulnerability has been discovered in ArcServe Unified Data Protection (UDP) versions 7.0 to 9.0 that can be exploited to bypass authentication on the system. ArcServe UDP is data protection software used for ransomware protection through attack neutralisation, data restoration, and disaster recovery. This authentication bypass vulnerability could result in attackers obtaining admin privileges, which would give them full control and access over their victim’s ransomware protection system. Attackers could use these admin privileges to compromise or delete data backups and prevent their victims from being able to restore their data in the event of a ransomware attack.  

This vulnerability tracked as CVE-2023-26258 was first identified and reported privately by security researchers in MDSec’s ActiveBreach red team in February, and has now been patched by ArcServe four months later in version 9.1, as detailed in their security update support article. Attackers can exploit this vulnerability though HTTP requests to access an administrator session to the WebService, the web interface used for administrator tasks. This flaw allows for remote code execution on the vulnerable system that can result in authentication bypass through use of a proxy client that is in contact with a HTTP server controlled by the attackers, which can be manipulated into providing a cookie for an administrator session. 

A detailed proof of concept exploit has been released by the researchers at MDSec, so applying the patch to this vulnerability should be prioritised by users and administrators. This patch can be applied by updating to ArcServe UDP 9.1 through automatic updates, or deploying the 9.1 RTM build. Manual updates are also available for some older versions, as detailed in the security update article from ArcServe. ArcServe advise that all Windows and RPS users need to upgrade their vulnerable UDP versions to the newest release, which can be performed through the UDP Console Actions menu, however users of the ArcServe UDP Linux Agent do not need to apply any updates as the Linux version is not vulnerable to this flaw. Windows users are warned that updates will need to be applied individually to each Windows node when using manual updates.