Source: Bleeping Computer
Summary
On June 27, Arcserve patched a four-month-old critical vulnerability in Unified Data Protection (UDP), the company’s software designed to mitigate ransomware attacks, restore data, and enable faster data recovery, used by roughly 235,000 customers across 150 countries.
The vulnerability, known as CVE-2023-26258, was discovered by penetration testers hired specifically by a client to test its data backup solution, in this case, Arcserve’s UDP. The flaw allows attackers on the local network to capture cookie sessions, obtain easily decryptable admin credentials, and use them to log into the administrative panel. Having access to the admin panel could allow attackers to delete all data backups, leaving the victim with no options for restoration after a successful ransomware compromise.
The pen testers also discovered that even on UDP instances patched against CVE-2023-26258, a pair of default MSSQL database credentials could also be used to obtain the admin credentials, provided the UDP instance uses the default configuration.
A day after the patch was released, the pen testers who discovered the flaw published proof-of-concept exploits and tools to scan locally for UPD instances with default configurations, as well as to collect and decrypt admin credentials.
Analysis
The discovery of a critical flaw within software designed to prevent and mitigate ransomware attacks is a prime example of the importance of deploying proactive cybersecurity controls like penetration testing. Had the penetration testers not been hired for this specific purpose, this vulnerability may have been discovered instead by ransomware actors seeking methods to destroy their victim’s backups and increase the likelihood of ransom payment.
However, the short period between Arcserve’s patch release and the publishing of the exploit code doesn’t leave much time for UDP users to upgrade before threat actors start incorporating this attack vector into their TTPs.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in software such as Arcserve UDP. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities. Covalence users are automatically notified when vulnerable software is detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect strongly encourages users of Arcserve UDP to ensure that their version is up to date. A complete list of security patches for all vulnerable UDP versions is available on Arcserve’s website.
References
