Arcserve, a prominent provider of Unified Data Protection (UDP) solutions, recently addressed critical security concerns after Tenable researchers identified and publicized vulnerabilities within its UDP software. These vulnerabilities, including CVE-2023-41998, CVE-2023-41999, and CVE-2023-42000, posed severe threats to enterprise data protection systems. The most concerning vulnerability, CVE-2023-41998, lies within the com.ca.arcflash.rps.webservice.RPSService4CPMImpl interface.
Exploiting this flaw could allow remote, unauthenticated attackers to upload and execute arbitrary files via a routine within the interface. Tenable researchers explained that a malicious actor could trigger a method to download a zip file from a controlled URL, which, upon decompression, executes an extracted EXE file with the same name as the zip file, potentially leading to unauthorized code execution. Another critical flaw, CVE-2023-41999, affects the management console, enabling unauthenticated remote attackers to obtain valid authentication UUIDs, potentially accessing administrative credentials.
Additionally, CVE-2023-42000 exposes a path traversal vulnerability, empowering unauthenticated attackers to upload files to any location within the file system where the UDP agent operates. Arcserve swiftly responded by urging immediate upgrades to version 9.2, offering manual patches for older supported versions like 9.1, 8.1, and 7.0 Update 2 to mitigate these serious security risks and protect enterprises utilizing their UDP solution.
Read more
