On June 27th 2023, Arcserve published an advisory for a critical unauthenticated remote code execution (RCE) vulnerability affecting Arcserve Unified Data Protection (UDP) for Windows. Arcserve UDP is a centralized backup and disaster recovery solution.
By exploiting this RCE vulnerability, threat actors may be able to gain unauthorized access to sensitive data, install malware, or launch other types of attacks from infected devices.
At this point in time, Arctic Wolf is not aware of active exploitation of this vulnerability. However, the security researchers that disclosed the vulnerability published a detailed blog and proof of concept (PoC) exploit on June 27th, 2023. We assess that threat actors will likely begin exploiting this vulnerability in the near-term due to the publicly available PoC and the ease of exploitation. Therefore, we strongly recommend applying the relevant security patch to impacted devices to prevent potential exploitation.
Arcserve recommends that all users running a version of UDP between 7.0 and 9.0 upgrade to version 9.1. Additionally, if an upgrade to 9.1 is not feasible, Arcserve provides patches that can be manually applied to each affected major version.
Affected Products
|
Affected Versions (Windows only) |
Upgrade (if possible) |
Manual patch (if unable to upgrade to 9.1) |
|
UDP 7.0 UDP 7.0 Update 1 UDP 7.0 Update 2 |
||
|
UDP 8.0 UDP 8.1 |
||
|
UDP 9.0 |
Manual patch for 9.x |
Recommendations
Recommendation #1: Upgrade to the latest version of Arcserve UDP
If you are using Arcserve UDP (Windows only) in your environment, download and install version 9.1 from Arcserve’s website, as detailed in their advisory.
Please follow your organizations patching and testing guidelines to avoid any operational impact.
Recommendation #2: If unable to upgrade to 9.1, manually apply the applicable patch for Arcserve UDP
If you are unable to upgrade to 9.1, apply one of the manual patches listed on the advisory for the major version running in your environment.
|
Affected Versions |
Upgrade (if possible) |
Manual patch (if unable to upgrade to 9.1) |
|
UDP 7.0 UDP 7.0 Update 1 UDP 7.0 Update 2 |
||
|
UDP 8.0 UDP 8.1 |
||
|
UDP 9.0 |
Recommendation #3: Block inbound traffic to Arcserve UDP
According to the Arcserve UDP documentation, ports 8014 and 8015 are sometimes forwarded on WAN interfaces to Arcserve UDP servers running behind a NAT. This scenario is typically configured for replication between UDP servers over the internet.
To reduce the likelihood of exploitation, consider temporarily blocking inbound traffic to Arcserve UDP servers until you are able to upgrade to the latest version of Arcserve UDP.
Recommendation #4: Reset Arcserve UDP administrative credentials
As described in the research published about this RCE vulnerability (CVE-2023-26256), it may be possible for a threat actor to obtain information about administrative credentials from the registry. Additionally, if default credentials are used for the MSSQL database instance or the application itself, threat actors may be able to gain additional privileges.
Once the upgrade to a patched version of Arcserve UDP is complete, consider resetting the associated administrative credentials for the application. In the Arcserve UDP documentation, instructions are provided describing how to update these administrative credentials.
This step is especially important if default credentials are used, since the proof-of-concept exploit is capable of scanning for default credentials, and threat actors are expected to do the same.
Note: Please review the vendor’s provided documentation around credential changes, and evaluate the potential operational impact of this change in your environment. If you have any questions about potential operational impact of this change, please contact Arcserve for support.
