Critical vulnerability discovered in Arcserve backup software
Admin access leads to RCE.
Richard Chirgwin
itNews
Jul 4 2023
https://www.itnews.com.au/news/critical-vulnerability-discovered-in-arcserve-backup-software-597573
Arcserve has patched a critical authentication bypass in its Unified
Data Protection product that gave attackers control over the software’s
web administration interface, and led to a remote code execution (RCE)
attack. [The vulnerability] affects UDP between version 7.0 and 9.0
...
[White-hat hackers] disclosed their findings to Arcserve on February 9,
and the company posted its patch on June 27.
Arcserve said all UDP Windows agents and Recovery Point Servers need to
be upgraded to 9.1, manually or via an automatic update.
[ Ouch. And that's the *good* news. The bad news is the vulnerability
existed for quite some time, and may have been exploited.
[ There are >10,000 customers of UDP, over 200 of them in Oz:
https://enlyft.com/tech/products/arcserve-udp
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
