CVE-2023-26258
📋 TL;DR
Arcserve UDP backup software through version 9.0.6034 has an authentication bypass vulnerability where the getVersionInfo endpoint leaks an AuthUUID token. Attackers can use this token to obtain administrative sessions and execute arbitrary tasks. All Arcserve UDP installations up to 9.0.6034 are affected.
💻 Affected Systems
- Arcserve UDP
📦 What is this software?
Udp by Arcserve
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary code, access backup data, modify backup configurations, and potentially pivot to other systems.
Likely Case
Unauthorized administrative access leading to data theft, backup manipulation, and potential ransomware deployment.
If Mitigated
Limited impact if network segmentation prevents external access and proper monitoring detects unusual administrative activity.
🎯 Exploit Status
Exploitation requires only HTTP requests and has been publicly demonstrated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.6034_HF1 or later
Vendor Advisory: https://support.arcserve.com/s/article/KB000015720
Restart Required: Yes
Instructions:
1. Download the hotfix from Arcserve support portal. 2. Stop Arcserve UDP services. 3. Apply the hotfix. 4. Restart services. 5. Verify version is 9.0.6034_HF1 or later.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Arcserve UDP web interface to trusted IPs only.
Configure firewall rules to block external access to TCP ports 8014, 8015, and 19000
Web Application Firewall
allBlock requests to vulnerable endpoints.
Add WAF rules to block requests to /WebServiceImpl/services/FlashServiceImpl and /WebServiceImpl/services/VirtualStandbyServiceImpl
🧯 If You Can't Patch
- Isolate Arcserve UDP server from internet and restrict internal network access
- Implement strict monitoring for unusual administrative activity and failed authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check if version is 9.0.6034 or earlier by accessing the web interface or checking installed version in Windows Programs.Check Version:
Check Arcserve UDP version in Windows Control Panel > Programs and Features or via web interface login page.Verify Fix Applied:
Verify version is 9.0.6034_HF1 or later and test that AuthUUID token is no longer exposed via getVersionInfo endpoint.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful administrative access
- Unusual administrative tasks executed from unexpected IP addresses
Network Indicators:
- HTTP requests to /WebServiceImpl/services/FlashServiceImpl?method=getVersionInfo followed by requests to VirtualStandbyServiceImpl
SIEM Query:
source="arcserve_udp" AND (uri="/WebServiceImpl/services/FlashServiceImpl" OR uri="/WebServiceImpl/services/VirtualStandbyServiceImpl")🔗 References
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://www.arcserve.com/products/arcserve-udp
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
- https://support.arcserve.com/s/article/KB000015720?language=en_US
- https://www.arcserve.com/products/arcserve-udp
- https://www.mdsec.co.uk/2023/06/cve-2023-26258-remote-code-execution-in-arcserve-udp-backup/
