A recent adversary simulation conducted by the MDSec ActiveBreach Red Team discovered a critical vulnerability in the ArcServe UDP Backup software.
This flaw, tracked as CVE-2023-26258, affects versions 7.0 through 9.0 of the software, allows remote code execution (RCE), and poses a significant risk to organizations relying on the software as backup infrastructure. Brings
“The importance of securing backup systems cannot be overemphasized. […] Bugcrowd Senior Director of Security Operations Michael Skelton said:
According to security experts, these backup systems are particularly vulnerable to disruption in the event of a security breach, which can render production systems unusable.
“This perilous situation may make any form of data recovery or system rebuild impossible,” Skelton added.
For more information on these attack scenarios, see 93% of Ransomware Attacks Target Backup Repositories.
During MDSec simulations, security analysts Juan Manuel Fernandez and Sean Doherty identified an authentication bypass flaw that allowed access to the software’s management interface.
By intercepting and modifying certain HTTP requests, an attacker could redirect your software to connect to a controlled HTTP server and allow unauthorized access.
Once inside, the red team discovered additional techniques to extract sensitive information, including admin passwords. Exploitation of this flaw and subsequent password retrieval highlighted the critical need for security patches.
Brandon Williams, chief technology officer at Conversant Group, commented, “A well-designed data protection solution will ultimately protect your backups across multiple identity sources.”
“Your backup strategy should ideally not only prevent access, but also provide immutability, redundancy, recoverability and resilience – multiple layers of security controls.”
The MDSec team reportedly disclosed the ArcServe vulnerability on February 2nd, and after a lengthy process, a patch was released on June 27th, 2023 to address the issue. However, concerns have arisen that security researchers are not being given proper credit.
We strongly recommend updating your ArcServe UDP Backup software to the latest version to reduce the risk of exploitation.
