On November 23, 2023, Arcserve released Arcserve Unified Data Protection (UDP) 9.2 to address three vulnerabilities, including a critical-severity remote code execution (RCE) vulnerability. Subsequently on November 27, 2023, Tenable published public Proof of Concepts (PoCs) for these vulnerabilities, as they were the ones who initially disclosed these vulnerabilities to Arcserve back in August 2023.
The critical vulnerability (CVE-2023-41998) was rated with a CVSS of 9.8, and can allow an unauthenticated remote threat actor to upload and execute malicious files via the downloadAndInstallPatch() routine on vulnerable devices. Additionally, the two other vulnerabilities (CVE-2023-41999 & CVE-2023-42000) of high and medium severity can allow a threat actor to perform authentication bypass and path traversal, respectively.
While there have not been observed instances of active exploitation of these vulnerabilities in the wild, we asses threat actors are likely to begin exploiting this vulnerability in the near term due to the publicly accessible PoC and ease of exploitation. Additionally, an Arcserve UDP directory traversal vulnerability was added to CISA’s Known Exploited Vulnerabilities Catalog last year.
Recommendation for CVE-2023-41998, CVE-2023-41999, and CVE-2023-42000
Upgrade Arcserve UDP to Fixed Version
Arctic Wolf strongly recommends upgrading Arcserve UDP to the latest fixed version.
| Vulnerable Versions | Fixed Version |
| Arcserve UDP prior to 9.2 | Arcserve UDP 9.2 |
Furthermore, manual patches for older versions of Arcserve UDP are also available for environments that cannot easily upgrade.
| Version | Fix |
| Arcserve UDP 9.1 | P00002967 |
| Arcserve UDP 8.1 | P00002968 |
| Arcserve 7.0 Update 2 | P00002983 |
Please follow your organizations patching and testing guidelines to avoid operational impact.
