You patch my back(up) and I'll patch yours... Arcserve bugs burrow remotely exploited holes in UDP storage systems

Companies running Arcserve Unified Data Protection to manage their backups and archives are being advised to update their software after bug hunters discovered four remotely exploitable security vulnerabilities.

Researchers with Digital Defense identified this month four holes that, if exploited via a phishing attack or malicious webpage, would allow an attacker to lift credentials or access data stored in the UDP data archiving and recovery system via its web services components.

The Digital Defense crew said the bug bundle consists of two different information disclosure flaws (one in /gateway/services/EdgeServiceImpl and the other via /UDPUpdates/Config/FullUpdateSettings.xml), a cross-site scripting vulnerability (in /authenticationendpoint/domain.jsp), and an XML External Entity flaw that could allow data disclosure via /management/UdpHttpService.

"The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system," Digital Defense explained.

The vulnerabilities are only present in the Web Services components of the UDP Console and UDP Gateway – the two tools used by admins to access and manage backup archives. Machines running the UDP Recovery Point Server and UDP Agent software are not affected.

Fortunately for Arcserve customers, Digital Defense said it privately disclosed the vulnerability, and Arcserve has already put out a patch. Those running UDP 6.5 Update 4 and Update 3 can download the fixes firectly from Arcserve, while companies using UDP on a standalone gateway will still need to manually install the patch on those boxes. ®