You patch my back(up) and I'll patch yours... Arcserve bugs burrow remotely exploited holes in UDP storage systems

Updates urged for serious web services vulnerabilities


Companies running Arcserve Unified Data Protection to manage their backups and archives are being advised to update their software after bug hunters discovered four remotely exploitable security vulnerabilities.

Researchers with Digital Defense identified this month four holes that, if exploited via a phishing attack or malicious webpage, would allow an attacker to lift credentials or access data stored in the UDP data archiving and recovery system via its web services components.

The Digital Defense crew said the bug bundle consists of two different information disclosure flaws (one in /gateway/services/EdgeServiceImpl and the other via /UDPUpdates/Config/FullUpdateSettings.xml), a cross-site scripting vulnerability (in /authenticationendpoint/domain.jsp), and an XML External Entity flaw that could allow data disclosure via /management/UdpHttpService.

Cartoon of someone stealing information from a Mac

F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security'

READ MORE

"The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system," Digital Defense explained.

The vulnerabilities are only present in the Web Services components of the UDP Console and UDP Gateway – the two tools used by admins to access and manage backup archives. Machines running the UDP Recovery Point Server and UDP Agent software are not affected.

Fortunately for Arcserve customers, Digital Defense said it privately disclosed the vulnerability, and Arcserve has already put out a patch. Those running UDP 6.5 Update 4 and Update 3 can download the fixes firectly from Arcserve, while companies using UDP on a standalone gateway will still need to manually install the patch on those boxes. ®

Broader topics


Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading

Biting the hand that feeds IT © 1998–2022