Summary: The UK’s NHS is warning of active exploitation of vulnerabilities in Arcserve Unified Data Protection (UDP) software, which were disclosed in March and had proof of concept exploit code released shortly after.
Threat Actor: Unknown threat actor | Arcserve Unified Data Protection (UDP)
Victim: UK’s National Health Service (NHS) | UK’s National Health Service
Key Point :
- The NHS has warned organizations about the active exploitation of vulnerabilities in Arcserve UDP software.
- The vulnerabilities were disclosed in March and proof of concept exploit code was released shortly after.
- The NHS strongly encourages organizations to apply the patches provided by Arcserve to mitigate the risk.
- Possible exploitation attempts of Arcserve UDP were observed following the release of the proof of concept code.
The UK’s NHS is warning of the possibility that vulnerabilities in Arcserve Unified Data Protection (UDP) software are being actively exploited.
Originally disclosed in March, the three vulnerabilities all had proof of concept (PoC) exploit code released the day after disclosure by Tenable, which reported the bugs to Arcserve. In these cases, it doesn’t usually take long before attackers try to abuse them.
The NHS hasn’t offered any details of the data it has seen that indicates possible exploitation but has “strongly encouraged” organizations to apply the patches as set out in Arcserve’s advisory.
The NHS published its updated alert on May 9, but also said that possible exploitation attempts of Arcserve UDP followed soon after the proof of concept code was published. It’s not clear exactly when these possible attacks began.
The Register asked Arcserve whether it was aware of the exploit attempts and if customers had been alerted, but it didn’t immediately respond.
Arcserve UDP is a widely used data protection and disaster recovery solution, and there was a good deal of fuss made over the March vulnerabilities at the time.
-
CVE-2024-0799 (CWE-287) (9.8 CVSSv3) – an authentication bypass vulnerability that allowed attackers to perform privileged actions within the software
-
CVE-2024-0800 (CWE-434) (8.8 CVSSv3) – a path traversal bug allowing attackers to upload malicious files with SYSTEM privileges
-
CVE-2024-0801 (NVD still assessing severity) – a denial of service vulnerability still undergoing assessment
Tenable assesses the threat presented by all three to be “critical,” per its PoC article, while the NHS deems it “medium” severity.
The Centre for Cybersecurity Belgium (CCB) sides more with Tenable’s attitude. In big, colorful, all-caps lettering at the top of its own advisory, CCB says: “WARNING: THREE VULNERABILITIES IN ARCSERVE UDP SOFTWARE DEMAND URGENT ACTION, PATCH IMMEDIATELY!”
It said if successfully exploited, the vulnerabilities could lead to follow-on crimes such as data theft, ransomware attacks, and sabotaged backups – perhaps all in one fell swoop.
“The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion,” it added.
“While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.” ®
Source: https://www.theregister.com/2024/05/14/nhs_arcserve_udp
“An interesting youtube video that may be related to the article above”