|Product||Arcserve Unified Data Protection|
|Type||Remote Code Execution|
Arcserve Unified Data Protection (UDP) suite provides functionality for data protection for critical data and applications. The suite protects data stored in cloud, virtual and physical infrastructure and supports configuration and management of all aspects of data protection through a single user console.
Arcserve UDP installation on Microsoft Windows was found to expose an unauthenticated JMX/RMI service on the underlying system's network interface. An adversary with network access may abuse this service and achieve arbitrary remote code execution with administrative privileges on the target host.
An attacker may achieve arbitrary code execution with the privileges of the user running UDP on the remote system. By default the service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.
The default installation of the UDP console version 5 and 6 on Microsoft Windows exposes a JMX endpoint enabled by default that does not require authentication.
Please see attached advisory PDF for an interim workaround for users unable to update to the latest version.
Users of Arcserve UDP 5 and 6 should upgrade to version 6.5.
Please see attached advisory PDF for technical details.
|2016-11-25||Issue reported to vendor|
|2016-11-30||Vendor acknowledged the issue|
|2016-12-14||Vendor published interim workaround for the issue|
|2017-01-31||Updated version including the patch was released|