NHS England Digital Warns of Exploited Vulnerabilities in Arcserve UDP

Recently, NHS England Digital issued an urgent cybersecurity alert following the discovery and remediation of critical vulnerabilities within Arcserve’s Unified Data Protection (UDP) platform. This alert comes in the wake of potential exploitation attempts and the availability of a proof-of-concept (PoC) exploit, signaling a significant risk to organizations relying on this widely utilized enterprise backup and disaster recovery solution.

Unveiling the Vulnerabilities

The critical security flaws, identified as CVE-2024-0799, CVE-2024-0800, and CVE-2024-0801, were patched by Arcserve in March following their discovery. These vulnerabilities directly impact the UDP Console, a central component of the UDP system:

• CVE-2024-0799 (CVSS 9.8): An authentication bypass vulnerability that allows an unauthenticated attacker to send a POST HTTP message without a password parameter to the /management/wizardLogin endpoint, granting unauthorized access to perform tasks within the UDP Console.
• CVE-2024-0800 (CVSS 8.8): A path traversal flaw that authenticated attackers can exploit to upload arbitrary files to any directory on the system where the UDP Console is installed. This vulnerability becomes particularly dangerous when chained with CVE-2024-0799, enabling unauthenticated file uploads under the security context of the SYSTEM account.
• CVE-2024-0801 (CVSS 7.5): Allows unauthenticated attackers to trigger a software process termination, leading to a denial of service.

These vulnerabilities were disclosed by Tenable researchers who also published proof-of-concept (PoC) exploit scripts demonstrating how these flaws could be exploited in an attack, accentuating the severity and actionable nature of these security gaps.

Exploitation Attempts and Cybersecurity Implications

Screenshot from NHK site

According to the cyber alert from NHS England Digital, there have been reports of potential exploitation attempts, which could have severe implications for organizations. The ability to upload malicious files and disrupt system operations can lead to data breaches, loss of sensitive data, and significant downtime for critical systems.

Patch and Mitigation Strategies

Arcserve has responded to these vulnerabilities by releasing security patches for UDP versions 9.2 and 8.1. NHS England Digital strongly advises all organizations utilizing the UDP console to apply these updates immediately to mitigate the risk of exploitation. The alert highlights the availability of these patches and the urgent need for systems administrators to secure their installations against potential attacks.