Critical Flaw Exposes ArcServe Backup to Remote Code Execution


A recent adversary simulation conducted by the MDSec ActiveBreach red team uncovered a critical vulnerability in ArcServe UDP Backup software.

Tracked CVE-2023-26258, the flaw affects versions 7.0 to 9.0 of the software and allows for remote code execution (RCE), posing a significant risk to organizations relying on the software for backup infrastructure.

“The importance of ensuring the security of backup systems cannot be overstated; it should […] be perceived with equal, if not greater, significance than operational production systems which it supports,” said Michael Skelton, senior director of security operations at Bugcrowd.

According to the security expert, in the event of a security breach, these backup systems may be specifically targeted for destruction, rendering the production systems unusable.

“This compromising situation could potentially render any form of data recovery and system rebuilding unachievable,” Skelton added.

Read more about these attack scenarios: Backup Repositories Targeted in 93% of Ransomware Attacks

During the MDSec simulation, security analysts Juan Manuel Fernandez and Sean Doherty identified an authentication bypass flaw that allowed access to the software’s administration interface. 

By intercepting and modifying a specific HTTP request, attackers could redirect the software to contact an HTTP server under their control, granting unauthorized access.

Once inside, the red team discovered additional techniques to extract sensitive information, including the administrator password. Exploiting the flaw and subsequent password retrieval highlighted the critical need for a security patch.

“If your data protection solution is architected properly, your backups are ultimately protected with more than one identity source,” commented Brandon Williams, chief technology officer at Conversant Group.

“Backup strategies should ideally prevent access, but also provide immutability, redundancy, recoverability, and resilience – multiple layers of security controls.”

The MDSec team reportedly disclosed the vulnerability to ArcServe on February 2, and after a lengthy process, a patch was released on June 27 2023, addressing the issue. However, concerns were raised regarding the lack of proper credits given to the security researchers.

Users are strongly advised to update their ArcServe UDP Backup software to the latest version to mitigate the risk of exploitation.

Products You May Like

Articles You May Like

Cyber-Attack Disrupts UK Property Deals
U.S. Treasury Sanctions Sinbad Cryptocurrency Mixer Used by North Korean Hackers
Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches
Undetected Android Trojan Expands Attack on Iranian Banks
Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories

Leave a Reply

Your email address will not be published. Required fields are marked *