CVE-2023-41998, CVE-2023-41999, and CVE-2023-42000: Multiple Arcserve UDP Vulnerabilities Patched

Share :

On 23 November 2023, Arcserve released Arcserve Unified Data Protection (UDP) 9.2 to address three vulnerabilities, including a critical-severity remote code execution (RCE) vulnerability. Subsequently on 27 November 2023, Tenable published public Proof of Concepts (PoCs) for these vulnerabilities, as they were the ones who initially disclosed these vulnerabilities to Arcserve back in August 2023.  

The critical vulnerability (CVE-2023-41998) was rated with a CVSS of 9.8, and can allow an unauthenticated remote threat actor to upload and execute malicious files via the downloadAndInstallPatch() routine on vulnerable devices. Additionally, the two other vulnerabilities (CVE-2023-41999 & CVE-2023-42000) of high and medium severity can allow a threat actor to perform authentication bypass and path traversal, respectively.  

While there have not been observed instances of active exploitation of these vulnerabilities in the wild, we asses threat actors are likely to begin exploiting this vulnerability in the near term due to the publicly accessible PoC and ease of exploitation. Additionally, an Arcserve UDP directory traversal vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog last year. 

Recommendation for CVE-2023-41998, CVE-2023-41999, and CVE-2023-42000

Upgrade Arcserve UDP to Fixed Version

Arctic Wolf strongly recommends upgrading Arcserve UDP to the latest fixed version.  

Vulnerable Versions  Fixed Version 
Arcserve UDP prior to 9.2  Arcserve UDP 9.2 

 

Furthermore, manual patches for older versions of Arcserve UDP are also available for environments that cannot easily upgrade. 

Version  Fix  
Arcserve UDP 9.1  P00002967 
Arcserve UDP 8.1  P00002968 
Arcserve 7.0 Update 2  P00002983 

 

Please follow your organisations patching and testing guidelines to avoid operational impact.  

References 

  1. Tenable PoCs 
  2. Arcserve UDP 9.2 release notes 
  3. Arcserve article 
  4. Arcserve UDP 9.2 download 
  5. Arcserve UDP 9.1 fix 
  6. Arcserve UDP 8.1 fix 
  7. Arcserve UDP 7.0 Update 2 fix  
Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security and holds a bachelor’s degree in Cybersecurity Engineering.
Share :
Table of Contents
Categories