[LINK] itN: 'Critical vulnerability discovered in Arcserve backup software'

Roger Clarke Roger.Clarke at xamax.com.au
Tue Jul 4 12:41:00 AEST 2023


Critical vulnerability discovered in Arcserve backup software
Admin access leads to RCE.
Richard Chirgwin
itNews
Jul 4 2023
https://www.itnews.com.au/news/critical-vulnerability-discovered-in-arcserve-backup-software-597573

Arcserve has patched a critical authentication bypass in its Unified 
Data Protection product that gave attackers control over the software’s 
web administration interface, and led to a remote code execution (RCE) 
attack.  [The vulnerability] affects UDP between version 7.0 and 9.0
...
[White-hat hackers] disclosed their findings to Arcserve on February 9, 
and the company posted its patch on June 27.
Arcserve said all UDP Windows agents and Recovery Point Servers need to 
be upgraded to 9.1, manually or via an automatic update.


[ Ouch.  And that's the *good* news.  The bad news is the vulnerability 
existed for quite some time, and may have been exploited.


[ There are >10,000 customers of UDP, over 200 of them in Oz:
https://enlyft.com/tech/products/arcserve-udp


-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University


More information about the Link mailing list