Arcserve Unified Data Protection Remote Code Execution

CVE-2016-9927

    Type

  • Remote Code Execution

    • Severity

  • High

    • Affected products

  • Arcserve Unified Data Protection

    • CVE Reference

  • CVE-2016-9927
Read more
Timeline
2016-11-25Issue reported to vendor
2016-11-30Vendor acknowledged the issue
2016-12-14Vendor published interim workaround for the issue 
2017-01-31Updated version including the patch was released
2017-03-17Advisory published

Description

Arcserve Unified Data Protection (UDP) suite provides functionality for data protection for critical data and applications. The suite protects data stored in cloud, virtual and physical infrastructure and supports configuration and management of all aspects of data protection through a single user console.

Arcserve UDP installation on Microsoft Windows was found to expose an unauthenticated JMX/RMI service on the underlying system's network interface. An adversary with network access may abuse this service and achieve arbitrary remote code execution with administrative privileges on the target host.

Impact

An attacker may achieve arbitrary code execution with the privileges of the user running UDP on the remote system. By default the service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.

Cause

The default installation of the UDP console version 5 and 6 on Microsoft Windows exposes a JMX endpoint enabled by default that does not require authentication. 

Interim Workaround

Please see attached advisory PDF for an interim workaround for users unable to update to the latest version.

Solution

Users of Arcserve UDP 5 and 6 should upgrade to version 6.5. 

Technical details

Please see attached advisory PDF for technical details.