A recent adversary simulation conducted by the MDSec ActiveBreach red team uncovered a critical vulnerability in ArcServe UDP Backup software.
Tracked CVE-2023-26258, the flaw affects versions 7.0 to 9.0 of the software and allows for remote code execution (RCE), posing a significant risk to organizations relying on the software for backup infrastructure.
“The importance of ensuring the security of backup systems cannot be overstated; it should [...] be perceived with equal, if not greater, significance than operational production systems which it supports,” said Michael Skelton, senior director of security operations at Bugcrowd.
According to the security expert, in the event of a security breach, these backup systems may be specifically targeted for destruction, rendering the production systems unusable.
“This compromising situation could potentially render any form of data recovery and system rebuilding unachievable,” Skelton added.
Read more about these attack scenarios: Backup Repositories Targeted in 93% of Ransomware Attacks
During the MDSec simulation, security analysts Juan Manuel Fernandez and Sean Doherty identified an authentication bypass flaw that allowed access to the software’s administration interface.
By intercepting and modifying a specific HTTP request, attackers could redirect the software to contact an HTTP server under their control, granting unauthorized access.
Once inside, the red team discovered additional techniques to extract sensitive information, including the administrator password. Exploiting the flaw and subsequent password retrieval highlighted the critical need for a security patch.
"If your data protection solution is architected properly, your backups are ultimately protected with more than one identity source," commented Brandon Williams, chief technology officer at Conversant Group.
“Backup strategies should ideally prevent access, but also provide immutability, redundancy, recoverability, and resilience – multiple layers of security controls.”
The MDSec team reportedly disclosed the vulnerability to ArcServe on February 2, and after a lengthy process, a patch was released on June 27 2023, addressing the issue. However, concerns were raised regarding the lack of proper credits given to the security researchers.
Users are strongly advised to update their ArcServe UDP Backup software to the latest version to mitigate the risk of exploitation.