Advisories

Arcserve Unified Data Protection Remote Code Execution

Product Arcserve Unified Data Protection
Severity High
CVE Reference CVE-2016-9927
Type Remote Code Execution

Description

Arcserve Unified Data Protection (UDP) suite provides functionality for data protection for critical data and applications. The suite protects data stored in cloud, virtual and physical infrastructure and supports configuration and management of all aspects of data protection through a single user console.


Arcserve UDP installation on Microsoft Windows was found to expose an unauthenticated JMX/RMI service on the underlying system's network interface. An adversary with network access may abuse this service and achieve arbitrary remote code execution with administrative privileges on the target host.

Impact

An attacker may achieve arbitrary code execution with the privileges of the user running UDP on the remote system. By default the service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.

Cause

The default installation of the UDP console version 5 and 6 on Microsoft Windows exposes a JMX endpoint enabled by default that does not require authentication. 

Interim Workaround

Please see attached advisory PDF for an interim workaround for users unable to update to the latest version.

Solution

Users of Arcserve UDP 5 and 6 should upgrade to version 6.5. 

Technical details

Please see attached advisory PDF for technical details.

Disclosure Timeline

Date Summary
2016-11-25 Issue reported to vendor
2016-11-30 Vendor acknowledged the issue
2016-12-14 Vendor published interim workaround for the issue 
2017-01-31 Updated version including the patch was released
2017-03-17 Advisory published