Digital Defense discloses four previously undisclosed vulnerabilities within the Arcserve Unified Data Protection platform. The vulnerabilities can open the door for potential compromise of sensitive data through access to credentials, phishing attacks and the ability for a hacker to read files without authentication from the hosting system.
DDI-VRT-2018-18 - Unauthenticated Sensitive Information Disclosure via /gateway/services/EdgeServiceImpl
DDI-VRT-2018-19 - Unauthenticated XXE in /management/UdpHttpService
DDI-VRT-2018-20 - Unauthenticated Sensitive Information Disclosure via /UDPUpdates/Config/FullUpdateSettings.xml
DDI-VRT-2018-21 - Reflected Cross-site Scripting via /authenticationendpoint/domain.jsp
Unified Data Protection (UDP) is vulnerable to two unauthenticated information disclosures and an external entity attack that could be utilized by an attacker to gain access to database and other credentials and to read files on the system hosting the UDP application without authentication. Additionally, UDP is vulnerable to reflected cross-site scripting (XSS) which could be utilized for phishing purposes.
Arcserve has provided fixes. A patch is available for download from Arcserve for hosts running UDP Console at: https://support.arcserve.com/s/article/Security-vulnerabilities-with-Arcserve-UDP-and-fixes-for-them?language=en_US
For the standalone gateway, manual fix application instructions are provided at: https://support.arcserve.com/s/article/360001392563?language=en_US
Affected Systems / Software (with versions)
Arcserve UDP 6.5 update 4