Arcserve Unified Data Protection Remote Code Execution
CVE-2016-9927
Description
Arcserve Unified Data Protection (UDP) suite provides functionality for data protection for critical data and applications. The suite protects data stored in cloud, virtual and physical infrastructure and supports configuration and management of all aspects of data protection through a single user console.
Arcserve UDP installation on Microsoft Windows was found to expose an unauthenticated JMX/RMI service on the underlying system's network interface. An adversary with network access may abuse this service and achieve arbitrary remote code execution with administrative privileges on the target host.
Impact
An attacker may achieve arbitrary code execution with the privileges of the user running UDP on the remote system. By default the service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.
Cause
The default installation of the UDP console version 5 and 6 on Microsoft Windows exposes a JMX endpoint enabled by default that does not require authentication.
Interim Workaround
Please see attached advisory PDF for an interim workaround for users unable to update to the latest version.
Solution
Users of Arcserve UDP 5 and 6 should upgrade to version 6.5.
Technical details
Please see attached advisory PDF for technical details.