Arcserve Unified Data Protection Remote Code Execution
-
Apostolos Mastoris - Published: 17 Mar 2017
Arcserve Unified Data Protection Remote Code Execution
CVE-2016-9927
Share
Type
- Remote Code Execution
Severity
- High
Affected products
- Arcserve Unified Data Protection
CVE Reference
- CVE-2016-9927
Timeline
| 2016-11-25 | Issue reported to vendor |
| 2016-11-30 | Vendor acknowledged the issue |
| 2016-12-14 | Vendor published interim workaround for the issue |
| 2017-01-31 | Updated version including the patch was released |
| 2017-03-17 | Advisory published |
Description
Arcserve Unified Data Protection (UDP) suite provides functionality for data protection for critical data and applications. The suite protects data stored in cloud, virtual and physical infrastructure and supports configuration and management of all aspects of data protection through a single user console.
Arcserve UDP installation on Microsoft Windows was found to expose an unauthenticated JMX/RMI service on the underlying system’s network interface. An adversary with network access may abuse this service and achieve arbitrary remote code execution with administrative privileges on the target host.
Impact
An attacker may achieve arbitrary code execution with the privileges of the user running UDP on the remote system. By default the service runs with “SYSTEM” privileges on a Microsoft Windows operating system and thus an adversary may gain complete control of the host.
Cause
The default installation of the UDP console version 5 and 6 on Microsoft Windows exposes a JMX endpoint enabled by default that does not require authentication.
Interim Workaround
Please see attached advisory PDF for an interim workaround for users unable to update to the latest version.
Solution
Users of Arcserve UDP 5 and 6 should upgrade to version 6.5.
Technical details
Please see attached advisory PDF for technical details.