CVE-2023-42000 – Arcserve UDP versions before 9.2 contain a path... (How to Fix)

Q: What is the severity of CVE-2023-42000?

CVE-2023-42000 has a CVSS score of 9.8 (CRITICAL). Arcserve UDP versions before 9.2 contain a path traversal vulnerability in the FileHandlingServlet that allows unauthenticated remote attackers to upload arbitrary files to any location on the file system where the UDP agent is installed. This affects all systems running vulnerable Arcserve UDP versions with the agent exposed to network access.

📋 TL;DR

Arcserve UDP versions before 9.2 contain a path traversal vulnerability in the FileHandlingServlet that allows unauthenticated remote attackers to upload arbitrary files to any location on the file system where the UDP agent is installed. This affects all systems running vulnerable Arcserve UDP versions with the agent exposed to network access.

💻 Affected Systems

Products:

Arcserve Unified Data Protection

Versions: All versions prior to 9.2

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Windows and Linux installations. The UDP agent must be network-accessible for exploitation.

📦 What is this software?

Udp by Arcserve

View all CVEs affecting Udp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution by uploading malicious files to critical system directories, potentially leading to ransomware deployment, data theft, or persistent backdoors.

🟠

Likely Case

Attackers upload web shells or malware to gain initial foothold, then escalate privileges to compromise the backup server and potentially connected systems.

🟢

If Mitigated

Limited impact if network segmentation prevents external access, but internal attackers could still exploit to compromise the backup system.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers on the internet to directly compromise exposed systems.

🏢 Internal Only: HIGH - Even internally, unauthenticated access means any compromised internal system or malicious insider can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Tenable published technical details and proof-of-concept. The vulnerability requires no authentication and has simple exploitation path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2 or later

Vendor Advisory: https://support.arcserve.com/s/article/000021333

Restart Required: Yes

Instructions:

1. Download Arcserve UDP 9.2 or later from official portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart services after installation completes.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to UDP agent ports (8014/TCP by default) to only trusted management systems.

Windows: netsh advfirewall firewall add rule name="Block UDP Agent" dir=in action=block protocol=TCP localport=8014 remoteip=any
Linux: iptables -A INPUT -p tcp --dport 8014 -j DROP

Web Application Firewall

all

Deploy WAF with path traversal protection rules to block malicious upload requests.

🧯 If You Can't Patch

Implement strict network access controls to limit which systems can communicate with UDP agent ports
Deploy file integrity monitoring on critical system directories to detect unauthorized file uploads

🔍 How to Verify

Check if Vulnerable:

Check Arcserve UDP version via web console or installation directory. Versions below 9.2 are vulnerable.

Check Version:

Windows: reg query "HKLM\SOFTWARE\Arcserve\Unified Data Protection" /v Version | Linux: cat /opt/arcserve/udp/version.txt

Verify Fix Applied:

Verify version is 9.2 or higher and test that path traversal attempts to upload files outside permitted directories are blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /UDPAgent/FileHandlingServlet with ../ sequences in parameters
File creation events in system directories from Arcserve process
Unusual file upload patterns to UDP agent

Network Indicators:

HTTP traffic to UDP agent port (8014) containing path traversal sequences
Multiple file upload attempts from single source

SIEM Query:

source="arcserve.log" AND (uri_path="/UDPAgent/FileHandlingServlet" AND (param="../" OR param="..\\"))

📊 Metadata

CVE ID: CVE-2023-42000

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: November 27, 2023

Last Updated: November 21, 2024

🔗 References

https://www.tenable.com/security/research/tra-2023-37 Exploit,Third Party Advisory
https://www.tenable.com/security/research/tra-2023-37 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42000, you might also want to check these: