Data protection vendor Arcserve has patched a very serious security flaw in its Unified Data Protection (UDP) backup software that may allow attackers to bypass authentication and gain administrator privileges.

According to the company, Arcserve UDP is a data and ransomware protection solution designed to help customers thwart ransomware attacks, restore compromised data, and enable effective disaster recovery to ensure business continuity.

Arcserve released UDP 9.1 to patch the vulnerability (tracked as CVE-2023-26258) on June 27, four months after the bug was discovered and reported by security researchers Juan Manuel Fernandez and Sean Doherty with MDSec’s ActiveBreach Red Team.

“During a recent adversary simulation, Red Team MDSec ActiveBreach [was] running a ransomware scenario, with a key goal set on compromising the organization’s backup infrastructure,” the researchers said.

“A few minutes after analyzing the code, a critical authentication bypass was discovered that allowed access to the administration interface.

On systems running Arcserve UDP 7.0 through 9.0, the flaw allows local network attackers to access the UDP administration interface after obtaining easily decrypted administrator credentials by capturing SOAP requests containing AuthUUID to obtain valid administrator sessions.

Administrator credentials could allow hackers to destroy targets’ data by erasing backups during ransomware attacks.

MDSec ActiveBreach researchers added that a default MSSQL database credential pair could also be used to obtain administrator credentials if the targeted server is already patched against CVE-2023- 26258 and uses a default configuration.

MDSec also shared proof-of-concept exploits and tools which can be used to find Arcserve UDP instances with default configuration on local networks, as well as recover and decrypt credentials by exploiting authentication bypass in the management interface.

“If the attacker is positioned on the local network, scans can be performed to find instances using default configurations using ArcServeRadar.py,” MDSec explain.

“Finally, if the ArcServe version has not been patched (CVE-2023-26258) it is possible to exploit an authentication bypass in the management web interface and recover admin credentials (ArcServe-exploit .py). All passwords recovered by the tools can be decrypted using ArcServeDecrypter.exe.”

While MDsec exchanged over a dozen messages with the Arcserve team during the disclosure process and were asked how they wanted to be credited, the last line of the disclosure timeline shared at the end of the report says: “ArcServe releases patch without credits.”

Arcserve says its data protection products help protect the data of approximately 235,000 customers in 150 countries.